Please DO NOT confuse PHP-Nuke (in my opinion badly coded and yes, vunerable to scripts kiddies) with this article about PostNuke.
They are very different CMS's.
Postnuke is a fork of PHP-Nuke, but they hardly contain the same code anymore.
PHP-Nuke is developed by one person who (in my opinion) has very werid ideas of open source and how things should be done. He's basically a one man team and doesn't want anyone else touching his baby. They consistantly find new bugs in PHPNuke's core modules.
PostNuke on the other hand is developed by a team of good, knowledgeable people. There have been very few exploits for the PostNuke core modules.
Of course, both these CMS's support 3rd party modules and often these are where the exploits are found. Because of this, people have this idea that the CMS's themselves are badly coded/vunerable, when in fact it's badly written 3rd party modules.
I run a PostNuke site myself (as you can probably tell by my bias above), but I also use mod_security and grsecurity to help keep the site tightened down, I have a lot of 3rd party modules myself and I just know they're going to get exploited at some stage!
However, I'd still mod you down. Juniper networks (layer3) and Extreme Networks (layer2) over that Cisco crap anyday!;)
The company I work for is using GigE as a local metro area access method. Moving to 10gig will probably be one of the next things we do. I can't see it being something normal users will ever need though, most people (by this I mean users) wouldn't notice if their network card was turned down to 10meg (as long as it was still full duplex)
That is all, sorry I don't have something insightful to say. I'm going to come back and check this in 5 years time... If it's still here I'll reply to myself.
Life is crazy.
Re:Already in use
on
Hardened PHP
·
· Score: 2, Informative
There is a 2.4.7-dev version from CVS that works quite well with PHP5!
I don't think it's future is in doubt at all, just that the insane pace it was developed at has slowed a little bit.
Re:Already in use
on
Hardened PHP
·
· Score: 4, Informative
Turck MMCache dev stopped since the lead dev was taken in by Zend. That doesn't mean development has stopped though! New people have taken it over and are slowly coding new stuff up!
Why would you do MAC filtering on your BGP sessions?
If your upstream swaps a router in the middle of the night due to a hardware failure, you're dead until you've updated your MAC filter. It's a flawed arguement anyway, these packets are coming from a remote host, via your peer to you. If you MAC filter your peer you can't talk BGP to him anymore...
Again for IPs, these packets are going to be spoofed to appear to come from expected IPs. How do you filter against that easily from an IP point of view? You can't, that's why they're talking about MD5 authentication on the BGP sessions.
My main point was your statement "The amount of TCP a router talks is strictly limited to admin" is incorrect, because BGP uses TCP as its transport method.
If people have cracked routers there's nothing to stop them already from adverting routes to the global routing table, claiming to have better path to "phishing site" than the router currently has for "proper site"
This exploit isn't a crack. All it means is that the hacker can take down a number of BGP sessions if he so wishes.
The sky is not falling, most ISPs with any clue have been working on this for the last week already.
If you read the article it'll explain it for you, but basically:
Routers from different AS's talk to each other using BGP4. This protocol uses TCP.
The "exploit" uses spoofed packets, so the router will process them as if it came from their neighbour.
So yes, while the router is mostly "shoveling packets", it learns the direction in which to shovel these packets via the exploitable method.
If you want to disagree, feel free to let all the major tier 1 ISPs who have been busily implementing MD5 authentication on their BGP sessions know their wrong.
Yes, it is saving you. That doesn't mean someone won't release an exploit that doesn't trigger pax though. It's just the way this particular example of the exploit is coded that PAX (part of Grsec) is catching. Doesn't mean someone can't code up a version of the exploit that won't trip PAX and hack you to bits!
Upgrade to the latest grsec, there are patches for the latest 2.4.25 kernel.
You're missing what they mean by "stable" They don't necessarily mean software not crashing stable (though that's part of it)
They mean the API's for programs will stay the same, the expected behaviour of a program will stay the same.
The only time anything like that gets modified is for security fixes. But it's why they backport the fixes, so that program behaviour is the same as it's always been.
By default it's bare bones basic. You can add all the functionality you want with plugins. It's very stable (though some plugins can cause crashes) Plugins are also available for AIM, Yahoo and MSN if you desire. Win32 only though. But I find licq (the latest version) to be very stable for *nix.
This article makes no sense from a proper real world routing perspective.
Any provider who is doing anything slightly serious will be using BGP4 routing for their EGP. It does NOT send out magic packets to find best paths. It learns routes from it's peers and will choose the best route based on a defined set of decisions. Routers do not keep a list of "neglected routes." If one route goes away, the router will simply pick the next best path.
Read more about BGP4 from Cisco's website. You will find little in common with this article and the one linked in the story.
Good routing relies on good admins with a well defined routing policy. There is no such thing as a "selfish" router.
Re:I've found Mozilla more universal.
on
PINE Releases 4.50
·
· Score: 1
Some good points.
I guess it comes down to what exactly you're trying to do. I have my own machine just for me, so it's not a problem for me. But yes, for a whole bunch of users I can see why you might want to nail them down to mail only via a ssl imap connection.
I still disagree it's a hack though:)
Tim
Re:SSH for mail is a hack.
on
PINE Releases 4.50
·
· Score: 3, Insightful
Why is it an ugly hack?
It's secure. It's quick and easy.
I'm at an internet cafe right now. It's much easier and fast for me to download putty and ssh to my box than to wait for 20 minutes for mozilla to download, then for me to install it and to set it up etc. Then I have to remember to uninstall it when I leave the cafe, so that others don't get my info/headers that may get left behind.
Not to mention it leaves another port open on my box for the world to see. I'd much rather just have port 22 open.
I agree with your comment, imap over ssl is nice, but it's not always easy or quick. I also can't see why you'd call it an ugly hack?
Tim
Re:I don't really get blogs...
on
Blogger Hacked
·
· Score: 2
If you don't get blogs, why is your website a blog?
I just sent this to JP. I don't suppose he'll care though. --
This is the funniest thing I've read in a while. You are so high and mighty over what?? A few websites that got hacked!
I don't have anything against you, but your article is laughable. Your "Virtual Fingerprinting System"? Care to explain what exactly that is? From your article it appears to be nothing more than grep, cat and diff.
The thing I find most amusing though is again your high and mighty attitude. As if what you're reporting _Really Actually Matters_ to anyone bar a few nerdy computer types. I freely admit to being a nerdy computer type myself. So a few websites got hacked. Did anyone die? No. Did anyone get hurt? No. A few bruised egos aside.
Anyway, I'd be *most* interested to see you respond in public to Attrition.org's response to your article. *If* what they're saying is true you sure have a lot of egg on your face. I personally don't have an opinion either way. It seems you're both trying to take yourselves so seriously that you can't see how totally irrelevant to anything this is. *Catch* the hackers with some solid evidence. That'd actually be something then. As opposed to grep and diff on a few files.
Slashdot Mirror
Please DO NOT confuse PHP-Nuke (in my opinion badly coded and yes, vunerable to scripts kiddies) with this article about PostNuke . They are very different CMS's.
Postnuke is a fork of PHP-Nuke, but they hardly contain the same code anymore.
PHP-Nuke is developed by one person who (in my opinion) has very werid ideas of open source and how things should be done. He's basically a one man team and doesn't want anyone else touching his baby. They consistantly find new bugs in PHPNuke's core modules.
PostNuke on the other hand is developed by a team of good, knowledgeable people. There have been very few exploits for the PostNuke core modules.
Of course, both these CMS's support 3rd party modules and often these are where the exploits are found. Because of this, people have this idea that the CMS's themselves are badly coded/vunerable, when in fact it's badly written 3rd party modules.
I run a PostNuke site myself (as you can probably tell by my bias above), but I also use mod_security and grsecurity to help keep the site tightened down, I have a lot of 3rd party modules myself and I just know they're going to get exploited at some stage!
Great post, all very true points.
;)
However, I'd still mod you down. Juniper networks (layer3) and Extreme Networks (layer2) over that Cisco crap anyday!
The company I work for is using GigE as a local metro area access method. Moving to 10gig will probably be one of the next things we do.
I can't see it being something normal users will ever need though, most people (by this I mean users) wouldn't notice if their network card was turned down to 10meg (as long as it was still full duplex)
Tim
That is all, sorry I don't have something insightful to say. I'm going to come back and check this in 5 years time... If it's still here I'll reply to myself.
Life is crazy.
There is a 2.4.7-dev version from CVS that works quite well with PHP5!
I don't think it's future is in doubt at all, just that the insane pace it was developed at has slowed a little bit.
Turck MMCache dev stopped since the lead dev was taken in by Zend. That doesn't mean development has stopped though! New people have taken it over and are slowly coding new stuff up!
Why would you do MAC filtering on your BGP sessions?
If your upstream swaps a router in the middle of the night due to a hardware failure, you're dead until you've updated your MAC filter.
It's a flawed arguement anyway, these packets are coming from a remote host, via your peer to you. If you MAC filter your peer you can't talk BGP to him anymore...
Again for IPs, these packets are going to be spoofed to appear to come from expected IPs. How do you filter against that easily from an IP point of view? You can't, that's why they're talking about MD5 authentication on the BGP sessions.
My main point was your statement "The amount of TCP a router talks is strictly limited to admin" is incorrect, because BGP uses TCP as its transport method.
I think you're getting a bit over excited.
If people have cracked routers there's nothing to stop them already from adverting routes to the global routing table, claiming to have better path to "phishing site" than the router currently has for "proper site"
This exploit isn't a crack. All it means is that the hacker can take down a number of BGP sessions if he so wishes.
The sky is not falling, most ISPs with any clue have been working on this for the last week already.
If you read the article it'll explain it for you, but basically:
Routers from different AS's talk to each other using BGP4. This protocol uses TCP.
The "exploit" uses spoofed packets, so the router will process them as if it came from their neighbour.
So yes, while the router is mostly "shoveling packets", it learns the direction in which to shovel these packets via the exploitable method.
If you want to disagree, feel free to let all the major tier 1 ISPs who have been busily implementing MD5 authentication on their BGP sessions know their wrong.
Yes, I use this.
I also combine it with grsecurity, which adds even more protection.
You should always remember though, these are just added layers of security. If someone can sniff your root password you're still cactus.
Yes, it is saving you.
That doesn't mean someone won't release an exploit that doesn't trigger pax though. It's just the way this particular example of the exploit is coded that PAX (part of Grsec) is catching. Doesn't mean someone can't code up a version of the exploit that won't trip PAX and hack you to bits!
Upgrade to the latest grsec, there are patches for the latest 2.4.25 kernel.
This exists!
Check out http://grsecurity.net, a great kernel patch that I personally thing should be merged into the default kernel.
Tim
You're missing what they mean by "stable"
They don't necessarily mean software not crashing stable (though that's part of it)
They mean the API's for programs will stay the same, the expected behaviour of a program will stay the same.
The only time anything like that gets modified is for security fixes. But it's why they backport the fixes, so that program behaviour is the same as it's always been.
May I instead suggest Miranda for ICQ?
By default it's bare bones basic. You can add all the functionality you want with plugins. It's very stable (though some plugins can cause crashes)
Plugins are also available for AIM, Yahoo and MSN if you desire.
Win32 only though. But I find licq (the latest version) to be very stable for *nix.
Miranda:
http://miranda-icq.sf.net
Licq:
http://www.licq.org
This article makes no sense from a proper real world routing perspective.
Any provider who is doing anything slightly serious will be using BGP4 routing for their EGP. It does NOT send out magic packets to find best paths. It learns routes from it's peers and will choose the best route based on a defined set of decisions. Routers do not keep a list of "neglected routes." If one route goes away, the router will simply pick the next best path.
Read more about BGP4 from Cisco's website. You will find little in common with this article and the one linked in the story.
Good routing relies on good admins with a well defined routing policy. There is no such thing as a "selfish" router.
Tim
What about the guy who changed his name to this?
Some good points.
:)
I guess it comes down to what exactly you're trying to do. I have my own machine just for me, so it's not a problem for me. But yes, for a whole bunch of users I can see why you might want to nail them down to mail only via a ssl imap connection.
I still disagree it's a hack though
Tim
Why is it an ugly hack?
It's secure. It's quick and easy.
I'm at an internet cafe right now. It's much easier and fast for me to download putty and ssh to my box than to wait for 20 minutes for mozilla to download, then for me to install it and to set it up etc. Then I have to remember to uninstall it when I leave the cafe, so that others don't get my info/headers that may get left behind.
Not to mention it leaves another port open on my box for the world to see. I'd much rather just have port 22 open.
I agree with your comment, imap over ssl is nice, but it's not always easy or quick. I also can't see why you'd call it an ugly hack?
Tim
If you don't get blogs, why is your website a blog?
Just as fast as Zend Accelerator, costs exactly nothing.
The PHP Accelerator.
The correct catagory would be:
PEBCAK
Problem Exists Between Chair and Keyboard.
I don't know HOW I manged to post that followup to this story.
I'm just extra special/stupid I guess.
I just sent this to JP.
I don't suppose he'll care though.
--
This is the funniest thing I've read in a while.
You are so high and mighty over what?? A few websites that got hacked!
I don't have anything against you, but your article is laughable. Your "Virtual Fingerprinting System"? Care to explain what exactly that is?
From your article it appears to be nothing more than grep, cat and diff.
The thing I find most amusing though is again your high and mighty attitude. As if what you're reporting _Really Actually Matters_ to anyone bar a few nerdy computer types. I freely admit to being a nerdy computer type myself. So a few websites got hacked. Did anyone die? No. Did anyone get hurt? No. A few bruised egos aside.
Anyway, I'd be *most* interested to see you respond in public to Attrition.org's response to your article.
*If* what they're saying is true you sure have a lot of egg on your face.
I personally don't have an opinion either way. It seems you're both trying to take yourselves so seriously that you can't see how totally irrelevant to anything this is.
*Catch* the hackers with some solid evidence. That'd actually be something then. As opposed to grep and diff on a few files.
Tim Harman