Slashdot Mirror

← Back to Stories (view on slashdot.org)

Doorways Sneak To Non-Default Ports of Hacked Servers

Posted by timothy on from the buncha-jerkfaces dept.

UnmaskParasites writes "To drive traffic to their online stores, software pirates hack reputable legitimate websites injecting hidden spammy links and creating doorway pages. Google's search results are seriously poisoned by such doorways. Negligence of webmasters of compromised sites makes this scheme viable — doorways remain unnoticed for years. Not so long ago, hackers began to re-configure Apache on compromised servers to make them serve doorway pages off of non-default ports, still taking advantage of using established domain names."

12 of 63 comments (clear)

  1. Are we finally using the term "pirates" correctly? by mykos · · Score: 2

    This seems more like they're boarding ships than infringing on copyright.

  2. Re:What the fuck is a doorway? by Anonymous Coward · · Score: 2, Informative

    Maybe it has something to do with the submitter's name being "UnmaskParasites" and the URL of the article being http://blog.unmaskparasites.com/2010/12/03/doorways-on-non-default-ports-new-trend-in-black-hat-seo/.

    If the author of the article did indeed just submit it here in some petty attempt to get traffic, he or she probably wouldn't have known what was unclear with the article.

    Had some neutral party submitted this, this submitter may have had to also look up these non-standard terms, and may have had the sense to include the definitions in the summary.

  3. Re:What the fuck is a doorway? by billcopc · · Score: 2

    Or maybe the submitted hacked into an Apache server, put up this navel-gazing article and submitted via a non-default port to Timothy's queue.

    o_O

    Or maybe Slashdot is turning into a keyword spam infested link dump, like Digg and Reddit and the rest of the goddamned web. I miss the days when we featured cool nerdy projects, and Ask Slashdot required an IQ of at least 120 to even understand the question. This place has gone to the dogs.

    --
    -Billco, Fnarg.com
  4. Re:Are we finally using the term "pirates" correct by adolf · · Score: 4, Funny

    Piracy is well established as to mean copyright infringement. I don't think we should confuse the issue by labeling much worse things (i.e. these hacker peoples) as piracy

    Ob-1999: I think you misspelt "cracker."

    --
    Kid-proof tablet..
  5. Firewall by xluap · · Score: 3

    Would blocking unusual portnumbers in the firewall be a solution?

    1. Re:Firewall by ledow · · Score: 2

      Er, yeah - any decent hosting setup should have all unused ports firewalled off, hopefully on a separate device.

      Again, poor configuration is the target, not any weakness in the actual technology.

    2. Re:Firewall by DavidTC · · Score: 2

      Technically, apache's config file permissions could be set so the apache user could reconfigure them without root privs, so the attacker might not have root...to start with.

      Of course, if they can reconfigure apache as a normal user, they can configure it to, tada, run as root, which neatly solves the whole 'not having root' problem.

      I'm a little amazed that attackers are reconfiguring apache instead of coming up with some rootkity http server of their own.

      --
      If corporations are people, aren't stockholders guilty of slavery?
    3. Re:Firewall by La+Gris · · Score: 3, Interesting

      No need to access or change the normal Apache config.

      Usually they just spawn a new apache process as the hacked user with something like apache2 -d /tmp/haxorsite -c "listen 13675" ...

      Suffice to gain user shell access and inject some content te serve.

      Thats why any decent hosting provider uses some front end servers, eventually with mod_security, so the back-end cluster has very restricted network setup only able to talk to the front servers.

      --
      Léa Gris
  6. Here's an example break-in. by Animats · · Score: 5, Informative

    Here's a typical break-in, at University of Oakland.. This has a good search position in Google for "64 bit Windows". This leads to a software-for-sale page with phony seals of approval from Microsoft, Verisign, etc. That's hosted at Starnet, in Moldovia. The payment site for the sales site is "payment8ltd.net", also hosted on Starnet in Moldovia. They're selling pirated copies of brand-name software at roughly half retail price.

    That site has a TrustWave seal, which pops up a popup for Paym8, a real payment processor in Zaire. TrustWave's seal server doesn't check the referrer when displaying a seal popup, so it can be spoofed. Nor does the TrustWave seal even give the domains to which it applies. Verisign and BBBonline check this, but not TrustWave.

    It looks like the actual payment processing occurs at "https://payment8ltd.net/shop/order/process/"; that's where the order goes on "Submit". The site has one of those worthless GoDaddy "Domain control only validated" SSL certs.

    Starnet presents itself as an Internet and telecom service provider, offering the usual data, voice, colocation, and hosting. Headquarters of Starnet seems to be at Vlaicu Parcalab, 63, Chisinau, Republic of Moldova. That's a property of Flexi Offices, one of those small-office rental places. Interestingly, Microsoft also has an office in that building.

    There's actual Whois information for that site:

    Registrant Contact: Viktor Menshikov
    Viktor Menshikov (loyal@yourisp.ru)
    ul.V.Urdasha d.36 kv.1
    Rakovo, Respublika Tatarstan, RU 422455
    P: +7.8435122221 F: +7.8435122221

    That location exists; it's a farm town about 500Km east of Moscow. Probably not a real address.

    Searching for "yourisp.ru" brings up a large number of scam reports. The domain itself is registered but not in DNS.

    Most of this recent batch of attacks seem to have similar underlying information.

    1. Re:Here's an example break-in. by QuoteMstr · · Score: 2

      This is exactly the crap that Microsoft's genuine advantage is designed to stop. Small-scale personal piracy is one thing, but I fully support efforts to squash unctuous commercial enterprises like this one.

  7. Re:What the fuck is a doorway? by DavidTC · · Score: 2

    Uh, no, ideally you shouldn't allow the web server to rewrite its own config.

    If it can do that, it's either already running as root, or, duh, its config files can be rewritten so it, from then on, runs as root. Which means the attacker is now running as root either way.

    Frankly, half the time it'd be easier to detect extra ports than extra files. A lot of people have either gui interfaces to their http config, at which point an extra server on a weird port showing up would be noticeable, or have a script that writes the config files from a database, in which case an extra server might be erased (Depends on where it was added, though.)

    Hell, you'd probably notice it from netstat at some point.

    Whereas malicious files hidden in a web site tend to be hidden in a .whatever directory and some obscure CMS include/ file patched to include them, which no one will ever notice.

    But stopping 'extra ports' actually does fuck-all for security anyway...it hardly matters if attackers are running malicious web sites out of extra http locations they've set up, or the pre-existing web server...the security implication of that is exactly the same.

    The security implications of attackers rewriting http config files, OTOH, are through the roof. If you want to rewrite the http config from web pages, either use something like Webmin, which is designed for it and allows you to run your actual websites as a unprived user, or use a page that rewrites a database, and have a root-owned and root-running script that looks for updates to that database and rewrites everything. Do not, I repeat, do not, make /etc/httpd/domains.d/ owned by apache. (Or whatever the path and user for your web server.)

    Like I said, it's trivially easy for an attacker with just web-server permissions to figure out that location and write a file that gives the web server root access, and next time it gets restarted...hey, look, their malicious scripts have root access also.

    --
    If corporations are people, aren't stockholders guilty of slavery?
  8. Re:How do I check this on a hosted server? by DavidTC · · Score: 3, Informative

    FTP down the entire contents of your site, and see if anything seems wrong. Directories you don't remember with frame pages, stuff like that.

    If you have a CMS like Joomla or Drupal, download a clean copy of the same version, extract it somewhere, and run something like WinMerge on the entire two directories. See what's different...should only be stuff you've installed, like themes and components, unless you've done some manual hacking.

    Likewise, if it's just 'your site', if you're the only editor, and you upload it using FTP...download it to a different directory, and run WinMerge to compare. They obviously should be identical.

    Downloading via FTP will also run a virus scan on it if you have real-time scanning, although feel free to also do that manually.

    Incidentally, that won't do anything for this problem. If they've hacked your hoster to put extra web sites up on your domain on other ports, it's unlikely you'll be able to notice this, and they certainly won't be in your directories. But doing that requires root access, and this article is idiotic...if attackers have root on your server, the fact they can add extra http servers is the least of your problems.

    Checking all the files helps for the more common attack of them putting up a directory on your site, and sticking malicious stuff in there, or including javascript files that pull in malicious stuff from elsewhere.

    Also, checking every link won't help.You don't have to have a link to that stuff for it to get into Google.

    --
    If corporations are people, aren't stockholders guilty of slavery?