GoFuckYourself.com - Adult Webmaster Forum - View Single Post - If a managed server is hacked ... who's at fault?

Phil21 · 08-23-2006, 09:08 PM

ScannerX,

Sorry to rain on your parade... But hopefully I can offer some input on the side of the actual folks on the front lines here.

Nessus (no matter how modified) will be of fairly limited usefulness for any even remotely properly managed *NIX server. On windows, I'll give you that, since my expertise simply does not lie there.

I havn't seen actual OS-level or "daemon level" (e.g. apache, bind, sendmail, sshd, etc.) in-the-wild actual exploit on our network for a LONG while. In fact, I can count on one hand the number of local root exploits we've had lately even after customers left remote holes open. Nessus is great for finding those holes, however since they are rare the product simply doesn't offer too much for us other than a "oh shit" type of scan where someone REALLY screwed up and left something running accidently.

Now.. for something I absolutely *would* pay good money for. I want essentially a virus scan, which scans for ALL known exploitable PHP/perl/whatever files on the system. This means, it will keep signatures of all PHPbb files that can be exploited, etc. Remote scans are near-worthless in my opinion, as they simply "guess" at what pathnames a client may use. If I have a nightly scan going through the entire filesystems on my machines, I can be assured every file is checked. There is nothing keeping anyone from creating a product like this, save the work involved. Basically take clamav (or your favorite open source *nix AV scanner) and simply create your own definitions file. Watch all the security lists, test the exploits, and add signatures hourly/daily/whatever. I would absolutely subscribe to a "definitions feed" service that was reliable and trustworthy, and would be willing to pay at minimum multiple thousands/mo for the privilege. However, the service would absolutely have to be very complete and kept up to date.

If/when someone actually comes up with a workable, supported, and *good* product such that that, I think they'd find a whole lot of success selling to the hosting provider market. I would love nothing more than to be able to proactively contact customers and put in hotfixes for "zero day" random-script-of-the-week exploits. Currently it's very much a reactive process.

As for the original poster - sorry for threadjacking. But pretty much everyone has it more or less right. If the entry vector was a script you uploaded or requested to be installed, it would be your responsibility to keep it up to date. A host simply can in absolutely no way take responsibility for third party software. However, they should have decent tools/staff to help you out after the fact and try to come up with what happened. However, even that can be an excersize in futility depending on the "hack" used.

Peace,

-Phil

08-23-2006, 09:08 PM
Phil21 Confirmed User Join Date: May 2001 Location: ICQ: 25285313 Posts: 993	ScannerX, Sorry to rain on your parade... But hopefully I can offer some input on the side of the actual folks on the front lines here. Nessus (no matter how modified) will be of fairly limited usefulness for any even remotely properly managed NIX server. On windows, I'll give you that, since my expertise simply does not lie there. I havn't seen actual OS-level or "daemon level" (e.g. apache, bind, sendmail, sshd, etc.) in-the-wild actual exploit on our network for a LONG while. In fact, I can count on one hand the number of local root exploits we've had lately even after customers left remote holes open. Nessus is great for finding those holes, however since they are rare the product simply doesn't offer too much for us other than a "oh shit" type of scan where someone REALLY screwed up and left something running accidently. Now.. for something I absolutely would* pay good money for. I want essentially a virus scan, which scans for ALL known exploitable PHP/perl/whatever files on the system. This means, it will keep signatures of all PHPbb files that can be exploited, etc. Remote scans are near-worthless in my opinion, as they simply "guess" at what pathnames a client may use. If I have a nightly scan going through the entire filesystems on my machines, I can be assured every file is checked. There is nothing keeping anyone from creating a product like this, save the work involved. Basically take clamav (or your favorite open source nix AV scanner) and simply create your own definitions file. Watch all the security lists, test the exploits, and add signatures hourly/daily/whatever. I would absolutely subscribe to a "definitions feed" service that was reliable and trustworthy, and would be willing to pay at minimum multiple thousands/mo for the privilege. However, the service would absolutely have to be very complete and kept up to date. If/when someone actually comes up with a workable, supported, and good* product such that that, I think they'd find a whole lot of success selling to the hosting provider market. I would love nothing more than to be able to proactively contact customers and put in hotfixes for "zero day" random-script-of-the-week exploits. Currently it's very much a reactive process. As for the original poster - sorry for threadjacking. But pretty much everyone has it more or less right. If the entry vector was a script you uploaded or requested to be installed, it would be your responsibility to keep it up to date. A host simply can in absolutely no way take responsibility for third party software. However, they should have decent tools/staff to help you out after the fact and try to come up with what happened. However, even that can be an excersize in futility depending on the "hack" used. Peace, -Phil __________________ Quality affordable hosting. Last edited by Phil21; 08-23-2006 at 09:10 PM..