4 posts tagged “security”

Last night a friend noticed that using his domain there were a couple spamhosts floating around on the Internet promoting the usual (porn, cialis and the like). We host(ed) his DNS through everydns.net's free service (which aside from one downtime and this incident has been outstanding over maybe six or eight years). It's a free service, powered by donations.

Here is the run-down

The DNS (Domain Name System) is used to map fancy hostnames to IP addresses, so for example whenever you go to www.google.com, the name servers listed on google.com make sure that you are send to the correct computer so you can do your search.

My client's domain: example.org
The spam host: freejoin.example.org

How did it happen?

Everydns.net treats all domains equal, so when we put ns1 through ns4.everydns.net on the domain as authoritative nameservers, the abuser added freejoin.example.org to his account on everydns.net and added a dozen of hosts "beneath" it to advertise their services.

I am surprised that no one had noticed anything like that before.

Solution

In this case we moved the DNS to another server and that fixed the situation for us.

David Ulevitch, the owner/founder of everydns.net, was notified (2008/05/04) prior to writing this blog post and he let me know that the bug is being fixed.

In related (new years) news. They passed a law in Germany which makes ISPs record every single "tele connection" made and keep records of it for six months (I believe).

Time to move/use Tor?

Happy new year 2008.

Following a fuck up at Facebook, Nik Cubrilovic has posted an outstanding piece entitled Learning from Facebook: Preventing PHP Leakage where he claims that PHP has been notorious for leaking source code? So what was human error, is aparently bug (one that only Nik discovered).

Here is my own list of advice (especially for Nik):

1. Hire someone who knows this better than you to setup your servers.
2. Hire someone to consult when you post on your blog and the topic exceeds your own area of expertise.
3. Post a follow-up and admit your failure.

Updated:
Getting better - Vidyut Luther posted a rather ironic response to Nik's entry which got quoted as "key industry practices" by SDA India - so if you need a reason to not outsource to India, here it is: the people are clueless. (Sorry for the generalization, it was too tempting.)

I know, I know, who am I say?

Well, anyway, I came across the following link tonight:
http://pastebin.ca/592702

Here is a quick list of what is wrong:

1. There is absolutely no control-flow, an attacker can do anything he wants and controls your page with simple GET.
   
2. Values from GPC are not quoted properly in SQL queries.
3. Instead of clearly seperating PHP code (backend) and HTML (frontend) all is messedmixed up.
4. Use of the dreaded shorttag - I wish PHP would get rid off that soon!

If you write code like this, you just feed the Java trolls and the general mis-understanding about the quality of PHP applications. Also, if you sell your services to other people, please make sure you cannot be held responsible for what you do because you would be in big trouble if you are.