3

I have found that the local school's website installed a Perl Calendar - this was years ago, it has not been used for ages, but Google has it indexed (which is how I found it) and it full of Viagra links and the like ... program was by Matt Kruse, here is details of the exploit: http://www.securiteam.com/exploits/5IP040A1QI.html

I've got the school to remove that, but I think they also have MySQL installed and I'm aware that out-of-the-box there have been some exploits of Admin Tools / Login in old versions. For all I know they also have PHPBB and the like installed ...

The school is just using some cheap, shared hosting; the HTTP response header I get is:

Apache/1.3.29 (Unix) (Red-Hat/Linux) Chili!Soft-ASP/3.6.2 mod_ssl/2.8.14 OpenSSL/0.9.6b PHP/4.4.9 FrontPage/5.0.2.2510

I'm looking for some means of checking if they have other junk installed (quite possibly from way back, and now unused) that might put the site at risk. I'm more interested in something that can scan for things like the MySQL Admin exploit rather than open ports etc. My guess is that they have little control over the hosting space that they have - but I'm a Windows DEV, so this *nix stuff is all Greek to me.

I found http://www.beyondsecurity.com/ which looks like it might do what I want (within their evaluation :) ) but I have a worry about how to find out if they are well known / honest - otherwise I will be tipping them a wink with a Domain Name that may be at risk!

Many thanks.

chmeee
  • 7,370
  • 3
  • 30
  • 43
Kristen
  • 187
  • 8

5 Answers5

7

What exactly is your relationship to the school? It sounds like you're asking others for ways to find vulnerabilities in their system then take it to them, but if you don't work for them or aren't a part of their system, I'd question if it's your place to take this route to do it. Many organizations frown on white hat hackers cracking their systems as a side project.

If you want to work with them, you might want to contact their IT department and discuss it with them, or talk to your school board representatives and see if they can arrange something (or the superintendent). Explain your worries and see if you can work with them, addressing the issues in a letter.

There are plenty of vulnerability scanners out there to google, but I'm sure that if their district is typical of other school districts (is this a public school in the US?) then they are short staffed and short on budget. They won't be happy with people intentionally taking swipes at their systems and then waving a sign at them saying, "hey, see what I did to your system!"

Contact them. Contact their IT people (they should have available addresses). Work with them. If they're not interested in having an assessment of their security and the school board isn't interested in it, then I'd say let it go, because there are better things for you to invest your time on and they'll learn a lesson when a state auditor goes through their configurations or something bad happens. And you don't want to be implicated in any of that. Very bad to get wrapped up in it if that happens.

Bart Silverstrim
  • 31,172
  • 9
  • 67
  • 87
  • exactly what I wanted to say, although I'd have been more rude about it, lol. Sounds kind of fishy to say the least – HannesFostie Mar 19 '10 at 15:24
  • I have a child at the school, I provide a software package for schools (which this school uses) and I have been retained by the schools governors to provide a technical opinion on a new ("marketing") site that the school has commissioned; it has been mounted on the existing cheap-hosting site, with all previous rubbish still in place :( I have worked with their IT department on various issues for nearly 4 years. So hopefully your concerns are put at rest. My aim, before telling them they have to reformat and start over, is to establish the breath of any possible hacks to date. – Kristen Mar 19 '10 at 15:25
  • Wanted to give the benefit of the doubt. I don't know why the OP would have this fixation on their website, that's why I asked. Personally if it's not mine and I have no business with them, I'd stay the @#%$ away from it, since getting wrapped up with them means if something *does* happen, guess who's door they knock on first?... – Bart Silverstrim Mar 19 '10 at 15:27
  • 2
    @Kristen: Ah! A reasonable explanation :-) Okay, as a sysadmin, if the system has been cracked, they should wipe it anyway. You cannot trust a system that has been hacked, period. Most admins here will tell you that...especially if they've neglected the site. They'd be better off if they revamped and relaunched everything from a new server, but that's getting way off topic from the question. – Bart Silverstrim Mar 19 '10 at 15:30
  • To clarify: When new "marketing" website went live I assumed it was moved to facilities that design company had control over(assume is dangerous of course). As links to old crud started to disappear from Google I noticed that links to this Calendar stuff remained - and on investigation then discovered that hosting had not moved, and only obvious HTML/Images had been deleted - cgi-bin etc was untouched :( – Kristen Mar 19 '10 at 15:31
  • There is *no way* to tell how far the hole into wonderland goes. Once an attacker has put something in place, especially a rootkit, the game's over. And you're trying to assess it from the outside. To audit it, you'd need to be able to monitor the logs, the network traffic, even bootable forensic scanning and/or hashes of system files that I can almost guarantee don't exist. The fact is that if there's unused rubbish and cruft on the system and you work in a capacity where this is *part of your responsibility* with them, they need to redo the whole thing. – Bart Silverstrim Mar 19 '10 at 15:33
  • I'm 100% with you on that one. However I know what "management" will say - "costs money to do that, and time, and with site being offline may cause parents to ask embarrassing questions ... lets just patch up and mend" so my aim was to have more ammunition so I can reinforce my concerns - and by that hopefully persuade them to take a very serious approach. Hence I wanted to be able to say "You have Calendar exploit" (already known) "... and X, Y and Z exploits ..." and thus "Only way forward is nuke-from-space" – Kristen Mar 19 '10 at 15:38
  • Politics, I'm afraid. Unless the school board is behind it, your work will be for nothing, and in fact they could turn around on you if you don't have express permission to do this. Unless your application requires them to have a new server set up. If they're not seeing damage from the setup, they'll most likely leave it as it is. If they're required for some reason to have a new server, they might do it, or if it has support from the school board or from the IT department. – Bart Silverstrim Mar 19 '10 at 15:47
  • If the first set of problems didn't get them to do anything you finding other problems won't necessarily either, since they'll just say that now that you know about them they can be fixed one by one. they don't understand that system administration isn't like rearranging Lego blocks. – Bart Silverstrim Mar 19 '10 at 15:48
  • Yeah :( My application is hosted separately on our own dedicated servers so this doesn't impact on that - but my "politics" is that, unlike the marketing site, my site DOES hold information about children, and if their Marketing site home page is hacked parents would lose faith in the schools systems, per se, which will cause us a shedload of work to reassure parents - through no fault of our own. – Kristen Mar 19 '10 at 15:51
  • Right I will get on the phone to the governors and tell them to get the sandpaper out. – Kristen Mar 19 '10 at 15:51
  • I mean that as far as the powers that be are concerned, it's not a technical matter, especially if they don't understand it. So it's politics. Rootkits, glazed look. Angry parents because private information was stolen, they understand that. Politics. You're trying to solve a technical problem with a technical approach what would only work with the IT department, if that. You might need to either redesign your app to not have any link to their website at all and give you more control or make it a technical contingency that they redo the site. Otherwise, it probably ain't gonna happen. – Bart Silverstrim Mar 19 '10 at 16:20
2

One thing I find useful is dumping the entire database to a text file, and running keyword searches on it to look for shenanigans. If you use a decent text editor (e.g. Notepad++) you can get a lot done that way.

In the end though, it's almost always a better idea to purge and start over. If you're not doing it professionally, on a day to day basis, it's extremely difficult to keep up with crackers who do it for a living.

Satanicpuppy
  • 5,946
  • 1
  • 17
  • 18
0

Not an vulnerability scanning expert so I won't answer the nuts and bolts side. But I would caution you to be careful doing scanning on a hosting company's server without their written permission. They will be justifiably irate if the scanning affects their other customers.

If you don't have confidence in the providers ability to maintain a secure system (the server daemons and related software like phpmyadmin that shared hosts provide), then you should move hosts.

(Darn! Bart beat me to first answer.)

iPaulo
  • 417
  • 3
  • 12
  • Sorry :-) The question sounded like the OP was asking for trouble in doing this. People get really touchy even if the intentions are good. Ask any kid who gets booted from school for pointing out a security flaw they discovered on a network share, which I've read has happened. – Bart Silverstrim Mar 19 '10 at 15:18
  • Good point, hadn't considered the effects on any other users. The school itself is small and gets only a handful of visitors a day, as you might expect. But as you rightly point out I have no idea what else is on that box. – Kristen Mar 19 '10 at 15:28
0

Bart is spot on. All web site scanning providers require permission from the site owner or administrator before doing a scan (or they should!).

But if you have a child at that school, you have a right to insist that they do test for and resolve serious web site vulnerabilities.

I work for Beyond Security and can confirm that the test engine used for our web scanner is the same engine used in our corporate VA/VM solution and that we maintain the same level of privacy and security for our web customers as for our corporate and government customers. Before the actual scan is done, the web site owner needs to prove ownership on the server (by changing something on the page or placing a special file to mark that they have actual access).

Ben Pilbrow
  • 12,041
  • 5
  • 36
  • 57
Aviram Jenik
  • 1
0

Following Bart and Aviram's answers: scanning/testing an environment for security weaknesses require permission from the owner.

If you have a child at that school, or pay taxes that support that school, for that matter, you may have a right to insist that they do test for and resolve serious vulnerabilities. First approach IT, then school management: show them the history of flaws, output of Apache version etc, and ask them to verify security. If they aren't willing to, you could always write a letter to the regulator (school district or however it's set up in your environment).

reiniero
  • 374
  • 1
  • 7