[Owasp-delhi] (no subject)

Soi, Dhruv dhruv.soi at owasp.org
Sat Feb 21 09:45:56 EST 2009

Non-root user can open up any port >=1024 so opening port 2121 is no big
deal :-) 


How to open? depends upon various channels excluding SSH --> Remote code
execution vulnerability in network services, file inclusion/execution/upload
vulnerability in web application, already compromised server getting
commands from IRC, BOTs, etc


Here are quick remedies:


1.	Configure Apache in Chrooted environment - Always
2.	Harden server and underlying services. Use Selinux if it doesn't
cause too much trouble to admin team. 
3.	Regularly check for RootKits using chkrootkit/rkhunter/OSSEC. Also,
search for files with malicious permissions/suid/etc.
4.	Re-look table level permissions in Database.
5.	Firewall rules for web server - DENY IN-OUT, DENY OUT-IN, ALLOW
OUT-IN:80,443, ALLOW MYIP_RANGE-IN:22 (alternative to VPN approach)
6.	Enable login via Public Key Authentication + password (Only) in SSH
7.	Install TripWire/OSSEC to monitor file
integrity/addition/deletion/changes and alerts you in almost real time
8.	Freeze the process list and install process monitor to alert you in
real time on addition of any new process into the list
9.	Use centralized Syslog with Splunk to keep an eye on bad activities
without allowing bad guys to modify logs
10.	Code secure web applications followed by regular code audits/web
assessment. If hiring a company for routine code audits looks expensive, use
such appliance
11.	If you are struggling a lot with iFrame inserts in your website(s)
then use tool like HackAlert
(http://www.torridnet.com/hackalert-web-application-intrusion-detection) [it
is unique with no other alternative available] to give you real time alerts
the moment there is an iframe insert.


Disclosure: Above suggested links belong to our website and should not be
treated as self-promotion rather be considered as recommendation for the
best available.


Hope helpful!





From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Deepak Gupta
Sent: Saturday, February 21, 2009 4:42 PM
To: owasp-delhi at lists.owasp.org
Subject: [Owasp-delhi] (no subject)


Dear All


I would like to know "How an attacker can forcibly open a port on server
without using SSH. I have seen that an hacker was able to do sql injection
and able to insert url redirection in table. 


Whenever the hacked site is opened, it redirect the users to hacker's site
pakbugs.org where as it also succeed to open ftp-proxy port 2121 on server.
Please tell me how one can open a port without root permission. 



Deepak Gupta
Head Server
Compare Infobase Limited
C-62, Community Centre
Janak Puri, New Delhi
Phone: 91-11-25542045, 41588013, 14
Mobile: +919871399012
E-mail:  <mailto:deepak at infobase.in> deepak at infobase.in
 <http://www.infobase.co.in/> www.infobase.co.in


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090221/f4ddbae6/attachment-0001.html 

More information about the Owasp-delhi mailing list