Re: Web software security scanners

To: Micah Anderson <micah@riseup.net>
Cc: debian-security@lists.debian.org
Subject: Re: Web software security scanners
From: Alvin Oga <aoga@ns.Linux-Consulting.com>
Date: Wed, 7 Apr 2004 15:49:42 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.1040407154602.18057A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 20040407185055.GE4445@riseup.net>

On Wed, 7 Apr 2004, Micah Anderson wrote:

> Hey all,
> 
> I am looking for some scanners which look for known vulnerabilities in
> different web software. 

for the best use of yoru $$$$ and time and customer relations:
a)  hire a security conscious server admin
	- one admin should be able to handle 100-500 machines all
	by their automated scripts

b) for checking your existing web server problems
	http://Linux-sec.net/Web/#Testing

> I have a collegue who runs a community web server with some 100
> different sites and almost half that in different CMS', blogs,
> publishing software, formmail scripts, postnuke, phpnuke, drupal,
> moveable type, etc. They have unfortunately allowed their people to
> install whatever software they want, which has resulted in this
> hodgepodge of random software, at different versions (not all debian
> packages) and some of these pieces of software have some exploitable
> holes in them.
> 
> This is known because he has found script kiddies who have been able
> to upload tar.gz files as user www-data into /tmp /var/tmp and
> /home/www-data and then extract them and run them. This has resulted

2 second problem to prevent... trivially simple to prevent script kiddies
from doing that
	- remove tar and all gcc environments, etc

	- look at the scripts ... see what it does ... and take
	out those commands from your machines

> in shells being started as www-data, and scripted attempts to escalate
> priviledges using lkm, mremap, and other kernel holes (which haver
> never, to his knowledge, worked because he maintains the latest kernel

one never knows what tehir vulnerability and exploitability is
till one takes the time to look at the latest news and see
if it faffects you

c ya
alvin

> and watches his filesystem with aide and sees the rogue processess
> started almost immediately and they get killed, but there is still the
> possibility of course).
> 
> Anyways, he is rebuilding the machine, as he should, with much more
> strict web hosting security considerations in mind, but he still would
> like to track down which piece of software is vulnerable. Based on the
> data that I have gone over for him, it is pretty plain that someone is
> using some sort of vulnerability scanner to find that he is running a
> phpnuke (for eg.) that is vulnerable, and then running an exploit on
> it. The attacks are with out a doubt scripted. He has run nessus on
> the system, but nessus only really gives you false positives about
> software that is installed that isn't the right version (because the
> debian packages actually backport the security fixes), but it doenst
> know anything about the different CMS' etc.
> 
> Does anyone know of these types of scanners?
> 
> Thanks!
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

References:
- Web software security scanners
  - From: Micah Anderson <micah@riseup.net>

Prev by Date: Re: Web software security scanners
Next by Date: [no subject]
Previous by thread: Re: Web software security scanners
Next by thread: [no subject]
Index(es):
- Date
- Thread