Dealing with Vulnerable Code on Customer Sites

[DigitalCrowd]

Okay, the past four days have been a nightmare. It started off saturday that our upstream provided disabled one of our servers from the Internet due to UDP attacks and then the provider failed to notify of this and after xx hours, we finally go ahold of someone in the know and got our server back, only to battle additional attacks until the problem code was found and removed.

Then, today, two unrelated sites on the same server had totally differet coded contact us forms that where used to send tens of thousands of spam emails.

How do you typically handle these issues with customers? How do you prevent these type of things. I realize securing things like wget to only be run by root, firewalls and the whole works, but for exmaple, the spam issue would have still happened even with all those security measures taken place.

Are there applications which can either by run on a server to scan code or scan a website for vulnerable code so that we can alert customers (and ourselves) before these events take place?

How do you handle customer issues like this? What type of penality to you place (financial or otherwise) and short of letting them go (for repeated issues) how do deal with it.

Thanks.

 

[carliebentley]

Boy, wouldn't that be nice.

My server was also pulled because of an AUP.

They are "Investigating" it right now, but this has gotten right out of hand.

I'm going to find the script that's doing this and I'm going to drop the client that has it, but no one can tell me which particular script it is, where it is, or anything other than the IP its coming from and the iP it's going to.

They only tell me the Ports and that it's UDP.

This seems to be a very specific problem and needs to be addressed by SWSoft.

 

[panaman]

mod_security and all the gotroot.com rules will block most of this **** and problaby would have stopped your issue...

I run, apf, bfd, mod_security and mod_evasive it it really helps a lot..
When I first starting using it.. a lot of the sites I host stopped working... I just told my customers to recode thier ****

 

[carliebentley]

I think what really annoys me is that there is no effective way to use the control panel (Plesk) to scan the domains for potential exploitable code.

I'm investigating mod_secure and mod_evasive now, but I don't seem to have apxs installed and the rhn up2date isn't working.

It's quite annoying. I also probably don't have http-devel either.

 

[phoenixisp]

Have you tried yum to install them. I know ART has http-devel and I believe apxs.

panaman gave you a good tip about APF (Advanced Policy Firewall) and BFD (Brute Force Detector), used together they are a definite improvement over the Plesk firewall. They are very simple to install and configure. Check them out

http://rfxnetworks.com/proj.php

 

[euro_gedimas]

Originally posted by phoenixisp
Have you tried yum to install them. I know ART has http-devel and I believe apxs.

panaman gave you a good tip about APF (Advanced Policy Firewall) and BFD (Brute Force Detector), used together they are a definite improvement over the Plesk firewall. They are very simple to install and configure. Check them out

http://rfxnetworks.com/proj.php

when I try to start APF, I get this error:

# /etc/apf/apf -s
[: /etc/apf/conf.apf: unexpected operator
APF version 0.9.6 <[email protected]>
Copyright (C) 1999-2004, R-fx Networks <[email protected]>
Copyright (C) 2004, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL

$CNF not found, aborting.
# /usr/local/sbin/apf -start
[: /etc/apf/conf.apf: unexpected operator
APF version 0.9.6 <[email protected]>
Copyright (C) 1999-2004, R-fx Networks <[email protected]>
Copyright (C) 2004, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL

$CNF not found, aborting.

My config is: /etc/apf/conf.apf

 

[lvalics]

See in my signature a HOW TO manual to secure also server.