Friday, February 10, 2006

"RadioShack Saves Millions of Dollars by Choosing Windows over Linux": Microsoft


Case Study: "RadioShack is one of the best-known electronics retailers in the world, with approximately 5,100 company-owned stores and 1,800 dealer-franchise locations that people turn to for batteries, toys, telephones, PCs, and more. However, the company's 11-year-old, UNIX-based point-of-sale systems had reached the end of their useful life and had to be updated. After an extensive evaluation in which RadioShack compared Windows® and Linux, the company selected Microsoft® Windows Server System™ and Windows XP Embedded because the platform offered lower long-term costs, less risk, better alignment with long-term technical strategy, stronger vendor support, and better use of existing development and IT operations skills. The company's move to Windows will reduce the number of servers in its stores by 50 percent and save millions of dollars in hardware, software, system management, and support costs."

Did they say save millions or spent millions?

My conclusions:

1. Microsoft is smart in presenting the facts their way
2. RadioShack was misguided by pro-Windows people
3. RadioShack no longer has Linux/Unix people
4. Google / Yahoo are in a lot of trouble because they use Linux and Microsoft says using Linux can cause legal problems.
5. I don't know what "lowered TCO" are they talking about
6. I don't know what reliability they are talking about.
7. And security with Windows (makes me giggle)
8. "New options for future growth" OR "Limited options for future growth"

I would say someone spent millions when they could have passed the savings to their share holders. May be I am biased because I have never found a better operating system / server system than Linux.

Banning abusing bots using mod_rewrite, .htaccess and modsecurity

Here are the currently blocked user agents as per my /etc/modsecurity/useragents.conf file:


# http://www.gotroot.com/mod_security+rules
# Gotroot.com ModSecurity rules
#
# Created by The Prometheus Group (http://www.prometheus-group.com)
#
# User Agent Security Rules
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/useragents.conf
# Copyright 2005, all rights reserved.
#
# Commercial redistribution prohibited.
#
# Version: N-20051203-01

#Comment spam header line
SecFilter "x-aaaaaa.*"
SecFilterSelective POST_PAYLOAD "X-AAAAAA.*"

#check for bad meta characters in User-Agent field
#SecFilterSelective HTTP_USER_AGENT ".*\'"

#XSS in the UA field
SecFilterSelective HTTP_USER_AGENT "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)"

#PHP code injection attack
SecFilterSelective HTTP_USER_AGENT "(<\?php|<[[:space:]]*\?[[:space:]]*php)"
SecFilterSelective HTTP_USER_AGENT ".*HTTP_GET_VARS"

#must have a useragent string and not be from ourself
#Some hosting software does not send a UA, so use with caution
#SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" chain
#SecFilterSelective REMOTE_ADDR "!^127\.0\.0\.1$"

#Exploit agent
SecFilterSelective HTTP_USER_AGENT "Mosiac 1\.*"

#Bad agent
SecFilterSelective HTTP_USER_AGENT "Brutus/AET"

#CGI vuln scan tool
SecFilterSelective HTTP_USER_AGENT cgichk
SecFilterSelective HTTP_USER_AGENT "DataCha0s/2\.0"

#Damn fine UA
SecFilterSelective HTTP_USER_AGENT ".*THIS IS AN EXPLOIT*"
SecFilterSelective HTTP_USER_AGENT "Morzilla"

#CIRT.DK Webroot auditing tool
SecFilterSelective HTTP_USER_AGENT ".*WebRoot "

#Exploit UA
SecFilterSelective HTTP_USER_AGENT ".*T H A T \' S G O T T A H U R T*"

#XML RPC exploit tool
SecFilterSelective HTTP_USER_AGENT "xmlrpc exploit*"

#A friendly little exploit banner for a WP vuln
SecFilterSelective HTTP_USER_AGENT "Wordpress Hash Grabber"

#Blocks scripts
SecFilterSelective HTTP_USER_AGENT lwp

#Web leaches
SecFilterSelective HTTP_USER_AGENT "Web Downloader"
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT WebCopier
SecFilterSelective HTTP_USER_AGENT Webster
SecFilterSelective HTTP_USER_AGENT WebZIP
SecFilterSelective HTTP_USER_AGENT WebStripper
SecFilterSelective HTTP_USER_AGENT "teleport pro"
SecFilterSelective HTTP_USER_AGENT combine
SecFilterSelective HTTP_USER_AGENT "Black Hole"
SecFilterSelective HTTP_USER_AGENT "SiteSnagger"
SecFilterSelective HTTP_USER_AGENT "ProWebWalker"
SecFilterSelective HTTP_USER_AGENT "CheeseBot"

#Bogus Mozilla UA lines
SecFilterSelective HTTP_USER_AGENT "Mozilla/(4|5)\.0$"
SecFilterSelective HTTP_USER_AGENT "Mozilla/3\.Mozilla/2\.01$"

#Bogus IE UA line
SecFilterSelective HTTP_USER_AGENT "Microsoft Internet Explorer/5\.0$"

#Bogus UA
SecFilterSelective HTTP_USER_AGENT "FooBar/42"

#Nessus Vuln scanner UA
SecFilterSelective HTTP_USER_AGENT ".*Nessus"

#Nikto vuln scanner UA
SecFilterSelective HTTP_USER_AGENT ".*Nikto"

#BAd/Bogus UAs
SecFilterSelective HTTP_USER_AGENT "Indy Library"
SecFilterSelective HTTP_USER_AGENT "Faxobot"
SecFilterSelective HTTP_USER_AGENT ".*SAFEXPLORER TL"

#Spam spinder UAs
SecFilterSelective HTTP_USER_AGENT ".*fantomBrowser"
SecFilterSelective HTTP_USER_AGENT ".*fantomCrew Browser"

#VB development library used by many spammers, might block legite VBscripts
#comment out if you have problems
SecFilterSelective HTTP_USER_AGENT "Crescent Internet ToolPak"

#Borland Delphi signature, as above, comment out if it gives you problems
#spammers sometimes use these UAs
SecFilterSelective HTTP_USER_AGENT "NEWT ActiveX\; Win32"
SecFilterSelective HTTP_USER_AGENT "Mozilla.*NEWT"

#Part of the Microsoft MSINET.OCX, as above, spammers sometimes use this, if
#it causes problems, comment out. If you are a member of the Microsoft Site
#Builder Network, you probably do NOT want to block this ID.
#SecFilterSelective HTTP_USER_AGENT "Microsoft URL Control"
#SecFilterSelective HTTP_USER_AGENT "^Microsoft URL"

#e-mail collectors and spammers
SecFilterSelective HTTP_USER_AGENT "WebBandit"
SecFilterSelective HTTP_USER_AGENT "WEBMOLE"
SecFilterSelective HTTP_USER_AGENT "Telesoft*"
SecFilterSelective HTTP_USER_AGENT "WebEMailExtractor"
SecFilterSelective HTTP_USER_AGENT "CherryPicker*"
SecFilterSelective HTTP_USER_AGENT NICErsPRO
SecFilterSelective HTTP_USER_AGENT "Advanced Email Extractor*"
SecFilterSelective HTTP_USER_AGENT EmailSiphon
SecFilterSelective HTTP_USER_AGENT Extractorpro
SecFilterSelective HTTP_USER_AGENT webbandit
SecFilterSelective HTTP_USER_AGENT EmailCollector
SecFilterSelective HTTP_USER_AGENT "WebEMailExtrac*"
SecFilterSelective HTTP_USER_AGENT EmailWolf

#Spiders that eat up bandwidth for their customers
#Not a spammer, just a spider, comment out if you like
SecFilterSelective HTTP_USER_AGENT "CopyRightCheck"
SecFilterSelective HTTP_USER_AGENT "CopyGuard"
SecFilterSelective HTTP_USER_AGENT "Digimarc WebReader"

#MArketing spiders
SecFilterSelective HTTP_USER_AGENT "Zeus .*Webster Pro*"

#Poker spam
SecFilterSelective HTTP_USER_AGENT "8484 Boston Project"

#collectors
SecFilterSelective HTTP_USER_AGENT "autoemailspider"
SecFilterSelective HTTP_USER_AGENT "ecollector"
SecFilterSelective HTTP_USER_AGENT "grub crawler"

#referrer spam, not the real weblogs
SecFilterSelective HTTP_USER_AGENT "^www\.weblogs\.com"

#spam bots
SecFilterSelective HTTP_USER_AGENT "DTS Agent"
SecFilterSelective HTTP_USER_AGENT "POE-Component-Client"
SecFilterSelective HTTP_USER_AGENT "WISEbot"
SecFilterSelective HTTP_USER_AGENT "^Shockwave Flash"
SecFilterSelective HTTP_USER_AGENT "Missigua"

#comment spam sign
SecFilterSelective HTTP_USER_AGENT "compatible \; MSIE"

#Some regexps to catch silly bots
SecFilterSelective REQUEST_URI "!/ps(zones\|comp).txt1" chain
SecFilterSelective HTTP_USER_AGENT "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$"
SecFilterSelective HTTP_USER_AGENT "^(Mozilla( [0-9.]+)?[ ]?\((Windows|Linux|(IE )?Compatible)\))$"
SecFilterSelective HTTP_USER_AGENT "^Mozilla/5\.0 \(X11; U; Linux i686; en-US; rv\:0\.9\.6\+\) Gecko/2001112$"
SecFilterSelective HTTP_USER_AGENT "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$"
SecFilterSelective HTTP_USER_AGENT "^Mozilla/.+[. ]+$"

#spammer
SecFilterSelective HTTP_USER_AGENT "Butch__2\.1\.1"
SecFilterSelective HTTP_USER_AGENT "agdm79@mail\.ru"

#Fake Gameboy UA
SecFilterSelective HTTP_USER_AGENT "GameBoy\, Powered by Nintendo"

#bogus amiga UA
SecFilterSelective HTTP_USER_AGENT "Amiga-AWeb/3\.4"

#exploit UA
SecFilterSelective HTTP_USER_AGENT "Internet Ninja x\.0"

#bogus googlebot UA
SecFilterSelective HTTP_USER_AGENT "Nokia-WAPToolkit.* googlebot.*googlebot"

#recently caught sending spam referrals, from their actual crawler IP
SecFilterSelective HTTP_USER_AGENT "BecomeBot"

#Suverybot
SecFilterSelective HTTP_USER_AGENT "SurveyBot"

#exploit
SecFilterSelective HTTP_USER_AGENT "S\.T\.A\.L\.K\.E\.R\."
SecFilterSelective HTTP_USER_AGENT "NeuralBot/0\.2"
SecFilterSelective HTTP_USER_AGENT "Kenjin Spider"
#SecFilterSelective HTTP_USER_AGENT "FunWebProducts"
SecFilterSelective HTTP_USER_AGENT "ichiro"
SecFilterSelective HTTP_USER_AGENT "picsearch"
SecFilterSelective HTTP_USER_AGENT "psbot/0.1.*"
SecFilterSelective HTTP_USER_AGENT "ichiro/2.0"
SecFilterSelective HTTP_USER_AGENT "Mozilla.*Dead.*"
SecFilterSelective HTTP_USER_AGENT "Bloglines.*"
SecFilterSelective HTTP_USER_AGENT "PluckFeedCrawler.*"
SecFilterSelective HTTP_USER_AGENT "Baiduspider.*"
SecFilterSelective HTTP_USER_AGENT "voyager/1.0"
SecFilterSelective HTTP_USER_AGENT "boitho.com"
SecFilterSelective HTTP_USER_AGENT "findlinks/1.*"
SecFilterSelective HTTP_USER_AGENT "NewsGatorOnline/2\.0"
SecFilterSelective HTTP_USER_AGENT "Mozilla/4.0.*ZyBorg/1\.0.*Dead.*Checker"
SecFilterSelective HTTP_USER_AGENT "g2Crawler.*"
SecFilterSelective HTTP_USER_AGENT "Onfolio/2\.02"
SecFilterSelective HTTP_USER_AGENT "Java/1\.5\.0\_04"
SecFilterSelective HTTP_USER_AGENT "Gigabot.*"
SecFilterSelective HTTP_USER_AGENT "e.SocietyRobot"


Banning using .htaccess/mod_rewrite

RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*NEWT [OR]
RewriteCond %{HTTP_USER_AGENT} ^Crescent [OR]
RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Bb]andit [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebEMailExtrac.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^LinkWalker [OR]
RewriteCond %{HTTP_USER_AGENT} ^sitecheck.internetseer.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ia_archiver [OR]
RewriteCond %{HTTP_USER_AGENT} ^DIIbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^psbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailCollector
RewriteRule ^.* - [F]
RewriteCond %{HTTP_REFERER} ^http://www.iaea.org$
RewriteRule !^http://[^/.]\.your-site.com.* - [F]



Credits for .htaccess / mod_rewrite based banning:
.htaccess ban list Part 1
.htaccess ban list Part 2
.htaccess ban list Part 3

Hacked this AM - ServerBeach Forums

Today I came across the following discussion where one of my tutorials was mentioned:

Hacked this AM - ServerBeach Forums: "Someone used a PHP exploit to take down several of our sites this morning.

Replaced the homepages with their hacker page ~DESTROYER~We had backups but they actually took the time to delete one of our databases, leaving the rest untouched.

We traced it to the hosting company, www.e3sarcom.orgNot sure what exploit they used as we had the latest version of PHPBB with all updates to the OS and many services disabled. Jerry"


I replied with:

GLJones, Sorry to hear about your site getting hacked.

I have a question, how are you so sure that it was a PHP exploit? Just curious. The reason I ask is a few friends of mine had thought the same but the problem ended up being totally different (Brute force FTP attacks).

Quote:
Originally Posted by Kevin Smith
Actually this guy had a good little tutorial and some .conf files to keep out a lot of things..

http://frankmash.blogspot.com/2005_1...h_archive.html

Thank you Kevin for mentioning my tutorial.

I wanted to point out that depending on what your site is about, you may need to tweak some mod_security settings to not let legitimate traffic get blocked (happened to one of my clients).

If on a dedicated server, I would also recommend blocking your root login attempts alltogether and creating an alternative account with root's power.

Also, install brute force detection (if not already installed).

I look forward to answering any questions you may have. You can post a comment on my blog or e-mail me at softwareengineer99 at yahoo in case you need assistance.

Thanks
Frank


And this:


Quote:
Originally Posted by Kevin Smith
I only have one issue and luckily its only for ONE client that just cant get off the pacifier....FRONT PAGE...just cant seem to get it to allow connections.


Is there a way to test BFD, I just want to make sure its running....

BFD runs as a cron job every 8 minutes or so. The cron job is placed in /etc/cron.d/bfd

You can verify BFD is running by tailing
Code:

/var/log/bfd.log


You can also try the following command to see the list of ips that have attacked your server (if they BFD is installed):
Code:

bfd -a


Are you having difficulties in letting the client connect using Front Page? Do you have APF/iptables installed?

GLJones, I also wanted to point out that once you are hacked, and assuming that the hacker got access to your file system, there is no guarantee that your system is clean. I highly recommend you run a rootkit scan on your server to make sure the hacker didn't leave any rootkit on your server. This can be done using tools like rkhunter/chkrootkit etc. Also, make sure your important system binaries haven't been compromised.

Just a few pointers I thought may help.

Thanks
Frank


And then:


Quote:
Originally Posted by Kevin Smith
If I run bfd I get this..
.....
but if I do a killall bfd...no processes killed....my bfd logs are empty..

Since BFD runs as a cron job, no process will be killed. Can you verify if the cron job for BFD is present?

If not, try putting something like this (modify for your environment)
Code:

MAILTO= SHELL=/bin/sh */10 * * * * root /usr/local/sbin/bfd -q >> /var/log/bfd.log




Hope this helps
Frank