The Hacker Diary

PHPIDS

Well, well.

It certainly has been a while since I've had any really meaningful posts. The truth is that I have been super busy working, studying or being lazy and playing Call of Duty: Black Ops. You know, 'Tango sucka!!"

At any rate, I've neglected to post on my blog for quite some time so I figured why not post about what I am working on currently.

Mein Kampf ("My Struggle" for the uninitiated)

I run a phpbb3 bulletin board system (not going to mention it here) and one of the struggles I deal with are the unknown hacks that malicious people in the darkest corners of the internet use to create un-approved users in the board db and post spam, steal email accounts to spam later or just be general jerks.

Actual screen shot from phpbb3 administration console. Note that the joined date is showing October 11th 2007, 12AM. Those users were created in the db on June 4th 2010 at 9:00pm. Very sneaky although amateur as user pruning would have removed these accounts next time it ran. The hack performed did not specify post counts and recent posts in the database and as a result user pruning takes a look and says "Who hasn't posted in X amount of days?" then prunes everyone who hasn't. (Prune means deletes the accounts or deactivates them depending on your forum's individual settings.)

The solution up to this point has been to ban APNIC, LAPNIC, RIPE via htaccess and constantly update revisions of phpbb3. Basically, a determination is made like this:

"Your not from the United States? No entry for you."

This reduced the spam issues I was having drastically in addition to not completely scaring me away from phpbb3 for insecurity. I also disabled new user requests since I personally know everyone on the board. This way it's invitation only no exceptions. My concern however is with the other fraction of ruffians hammering away from their computers in the United States or overseas kiddies proxying through US computers/botnets to do nefarious things. I see it everyday in my profession as I monitor intrusion attempts and attacks on networks.

I asked myself the other day if a guy who's profession is in the information security sector gets his WordPress hacked or his bulletin board system is defaced, does that make him bad at his job? Do others look down on him?

The truth is that, it happens. I've been fairly lucky thus far but the inevitability is that compromises can and will occur. The answer depends on whether or not there are known good backups, layered security and adherence to policy. What I mean by adherence to policy: no weak passwords, password cycling, log checking, etc.

For everything else, there is phpids.

Enter PHPIDS

PHPIDS acts as a filter over input that will do regular expressions and treating on that input then flag suspicious tags,  keywords, etc and take action according to your configuration. Using php.ini and pre-append you can setup phpids pretty quickly. The project has good support through the forums and a pretty loyal following of the most hardcore security guru's to average Joe.

Initially, false positives were a problem, but that was easily remedied by utilizing the white listing function adding the post and pm message fields.

This is a really great tool for the developers out there who have security concerns and would like to do something about them. Even with the "proper" sanitization of user supplied input, your adding of an additional layer of security that will keep you aware of one-off's and steady attacks as well as the newest attacks that might circumvent the common methodology.