Question about Bitninja abuse reports

[Robin Manoli]

Hello!

I was recommended by #ubuntu-server on Freenode not to use wsgi. I wonder if you recommend this as well (which means not using web2py with apache)?

I'm wondering if there is certain type of web2py code I can look for to prevent unauthorized access. In particular, how to prevent apache to send GET requests to other domains than the actual web2py web site being requested in the first place.

I'd really appreciate your help on this :)

- Robin

[Niphlod]

IMHO you're really confused. or got names wrong. or got things wrong.

wsgi IS THE ONLY WAY to run python code for webservers. It's the only standardized spec to do so.

Nooow, if you're instead talinkg about mod_wsgi on apache, it's another matter entirely. Securing apache needs to be done by experts....if you're not, you can amuse yourself reading docs and chatting to peoples, but if you're really concerned the best option is to leave it to professionals.

BTW, we "sponsor" nginx+uwsgi over apache for some time now.

[Robin Manoli]

They recommended not to use wsgi, and so far I've been using mod_wsgi. Sorry if I didn't know everything about wsgi.

Thanks for the tips! Maybe I can amuse myself with some rude people on help forums too?

You know Niphlod, this is not the first time you're answering to me in a rude way. Are you here to discourage people from learning, or one of those experts who can't handle that people can mix things up before learning? All the other people who have been helping me in these forums have been really nice. I hope you would like to be nice too.

[Marin Pranjić]

Wow, some people are soo easily offended.

I don't see a single rude word here, it's helpful and informative answer, and it should help you unmix things :)

His answer could be the best thing you read today, so I hope you don't just discard it because it's not wrapped up with fake politeness.

Regards,

Marin

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Robin Manoli]

Don't worry, I didn't disregard the information. The answer is not what I'm looking for however. Even if apache is amusingly complicated for Niphlod, the issue at hand has nothing to do with apache. The issue is to figure out how to find out how to prevent GET requests exploited through web2py.

And when it comes to rudeness, it doesn't necessarily require using singular rude words. But to suggest people to amuse themselves rather than to learn properly about new technology seems arrogant and discouraging to me. I don't see how it has any place in a help forum.

And being nice does in no way require fake politeness.

[Kiran Subbaraman]

Robin,
In support of the 'exploit' that you speak of - Is there any reported issue, or bug report, or code  that you can provide a reference to? This would help understand if web2py is affected or not.

I suggest you take a look at the CVE database, to see if there have been reported Vulnerabilities on software that you use: https://www.cvedetails.com/
For example, looking for 'uwsgi' issues: https://www.cvedetails.com/google-search-results.php?q=uwsgi&sa=Search
Whereas, the 'mod_wsgi' issues: https://www.cvedetails.com/google-search-results.php?q=mod_wsgi&sa=Search

________________________________________
Kiran Subbaraman
http://subbaraman.wordpress.com/about/

[Niphlod]

didn't mean to startle anyone .... amusement is personal entertainment, meant as "if you want to try facing the hige problem by yourself and you are willing to read through tons of docs".

that being said IMHO the question was/is ill posed. "wsgi" (no Uwsgi, no MOD_wsgi) is just a spec. Anyone telling "you can't use wsgi because it's not safe" is basically telling you NOT to use python for web development, because it's really the only standard out there for python apps.

in your "quoted parenthesis" 

 (which means not using web2py with apache)

you probably pointed out a reference to running wsgi under apache .... that is mod_wsgi. Now, mod_wsgi works. It has some configuration parameters that are hard to fine tune, but unrelated to security. As Kiran pointed out, there are multiple CVEs affecting it.

We, as web2py-developers, don't "block" any deployment method. Web2py exposes a wsgi interface, and provides adapters for cgi, fastcgi, scgi and wsgi protocols. You can deploy web2py also behind a reverse proxy using the included webservers. This translates to "pretty much everywhere and behind anything".

However we, as "support people", often see lots of users facing really weird issues deploying web2py with mod_wsgi under apache, and since there are alternatives that are far superior, with less headaches, less resource hungry, more scalable and with less security concerns, "encourage" dropping apache+mod_wsgi architectures in favour of nginx+uwsgi ones.

Apache in production DEFINITELY suffers a very simple DdOS attach known as slowloris, that anyone knows, it's easy to do from any home internet connection and that can be mitigated only if you put something in FRONT of it. Why don't just drop apache alltogether ?

In the end, web2py "should" be run under apache only and only if apache is a requirement itself (e.g. it runs other applications written in other programming languages).

That being said, if you can point out the full extent of your chat we'll probably be able to pinpoint the scary part and address your concerns. 

If the problem is really "how can I prevent my web2py app to send GET requests to other domains" the reply is simply "don't issue requests to other domains". But that would be true indipendently from the webserver of your choice.

If the problem is, on the other end, "I've been told that mod_wsgi can be exploited if not properly tuned, regardless of the underlying python app ", once again, options are (from safer to less safer) 

:

- consider something else than apache

- call an expert to fix apache and mod_wsgi

- reading through mod_wsgi docs, mailing list and CVEs and pinpoint the needed fix

[Robin Manoli]

Thanks for your elaborate reply Niphlod.

Perhaps the question was ill posed, but not knowing the true role of wsgi I don't know how I could have posted it differently. Still, as I said, I was recommended not to use wsgi and also not to use php. I was quite surprised of being given such advice, but it was nonetheless what I got.

Having primarily used php and web2py for web develoment, is the reason for why I use apache in the first place.

That being said, and taking your points into account for later, the problem at hand for now is an exploit sending requests from the server. I'm not sure if it has to with web2py, but I'm looking for tips for what could be sending these requests. It is a third party that is doing it.

[Niphlod]

np, sorry for any induced confusion.

now that we established boundaries, and taking into account that actual people told you to avoid php in the same discussion, I think that those people should now elaborate what's the real anger against php and python, which, BTW, are the "language of choice" of several VERY BIG players in the web department. Frankly speaking though, noone of those players are running either php or python behind apache.

I'm curious about your last comma though. Are we talking about a "potential vulnerability" (which I'm not aware of for recent builds of mod_wsgi) or something you faced in your production enviroment ?

/closely offtopic but still related/ : choosing apache "because I use mainly php and web2py for web development" is all kinds of funny because you can actually ditch apache in favour of nginx without any particular issue. 

[Anthony]

Perhaps the question was ill posed, but not knowing the true role of wsgi I don't know how I could have posted it differently. Still, as I said, I was recommended not to use wsgi and also not to use php. I was quite surprised of being given such advice, but it was nonetheless what I got.

Do you have any details from the conversation -- i.e., what you asked and what they said exactly? It's possible they don't really know what they're talking about (or misunderstood your setup or question).
 

Having primarily used php and web2py for web develoment, is the reason for why I use apache in the first place.

Note, at least for Python web apps, the preferred deployment setup is now Nginx+uWSGI.

That being said, and taking your points into account for later, the problem at hand for now is an exploit sending requests from the server. I'm not sure if it has to with web2py, but I'm looking for tips for what could be sending these requests. It is a third party that is doing it.

Are you experiencing a current potential exploit? If so, what is the evidence? Have you seen https://wiki.apache.org/httpd/ProxyAbuse?

As noted at that link, if you are seeing logs with GET requests to external sites with 200 response codes, that doesn't necessarily mean Apache proxied the requests to the external sites -- it just means that Apache returned some response (assuming you have disabled mod_proxy or have it configured securely, it would just respond with the default page of your default virtual host). In short, your logs might reflect completely normal behavior.

Anyway, to be clear, if this is the issue, it has nothing to do with the WSGI specification or web2py. It is purely an Apache issue, and one that is easily rectified.

Anthony

[Anthony]

Perhaps the question was ill posed, but not knowing the true role of wsgi I don't know how I could have posted it differently.

I'd say if you don't really have an understanding of an issue, avoid definitive, sensational headlines like "Preventing hackers from exploiting web2py with wsgi", as that makes it sound like this is a proven exploit in need of prevention. Instead, maybe something like, "Question about possible WSGI security issue." The reason for aiming to be more circumspect is that this is a public forum, and so anything negative posted here, even if untrue or misinformed, can quickly spread as FUD on the internets.

Also, it sounds like you believe you might be experiencing a current exploit. If that's the case, it would be better to present details and evidence about your concern.

Anthony

[Robin Manoli]

About the exploit
There is an exploit is was happening. I thought they were related to a web2py app on Apache, but I'm sure any more. What is happening is that another web server keeps getting this type of requests from a server I'm working on. This keeps happening although the ports 80 and 443 (and almost all other ports) for outbound traffic of the servers are closed. ModProxy is disabled.

server.ip - - [  -0500] "GET /index.php?page=../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 7792 "-" "Mozilla/4.76 [en] (Win98; U)"

I did find some suspicious apache logs which made me think it was related to a web2py app:

213.152.162.134 - - [23/Feb/2016:22:32:19 +0100] "GET http://stream-full.selfip.com:8000/get.php?username=anonyme1520091ef3&password=anonyme1520091ef3&type=m3u&output=mpegts&1=anonyme1520091ef
3 HTTP/1.0" 400 804 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
185.25.148.240 - - [24/Feb/2016:14:38:31 +0100] "GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1" 404 267 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
213.152.162.134 - - [24/Feb/2016:19:44:56 +0100] "GET http://stream-full.selfip.com:8000/get.php?username=whatisashelly&password=whatisashelly&type=m3u&output=mpegts&1=whatisashelly HTTP/1.0"
500 1091 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

I did not wish to say that web2py has any specific issues, but rather to learn about potential and perhaps common mistakes people do when creating web2py or wsgi apps. Though this might as well be related to a php site or something else completely.


About naming this thread
When I wrote the name I thought it was related to one of my web2py apps, although it would probably be me who is responsible. Though I see what you mean Anthony, and I only wish to support web2py, as I find it to be the very best framework for creating server side web appplications. And I do not have any logs of the chat.


About why I use apache
You are right of course Niphlod. The full story is just that I had a working setup with Apache without any issues, so I was focusing on app development and not choosing web servers. It worked very well so far in the context, and it's not really important to discuss this any further. I have my reasons for why things are like they are, and of course I can move to nginx.

Thanks for your replies so far!
- Robin

[Anthony]

On Friday, February 26, 2016 at 4:57:47 AM UTC-5, Robin Manoli wrote:

About the exploit
There is an exploit is was happening. I thought they were related to a web2py app on Apache, but I'm sure any more. What is happening is that another web server keeps getting this type of requests from a server I'm working on. This keeps happening although the ports 80 and 443 (and almost all other ports) for outbound traffic of the servers are closed. ModProxy is disabled.

server.ip - - [  -0500] "GET /index.php?page=../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 7792 "-" "Mozilla/4.76 [en] (Win98; U)"

So, is the above log entry from the other server (i.e., not the one you control)? I presume the "server.ip" value is the IP address of your server, hence the belief that this request is coming from your server, correct? If so, how did you get this log entry? Did the owner of the server contact you and provide it? Did they request any information from you? Can you trust that this is real (as opposed to a social engineering attempt)?
 

I did find some suspicious apache logs which made me think it was related to a web2py app:

213.152.162.134 - - [23/Feb/2016:22:32:19 +0100] "GET http://stream-full.selfip.com:8000/get.php?username=anonyme1520091ef3&password=anonyme1520091ef3&type=m3u&output=mpegts&1=anonyme1520091ef
3 HTTP/1.0" 400 804 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3"
185.25.148.240 - - [24/Feb/2016:14:38:31 +0100] "GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1" 404 267 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
213.152.162.134 - - [24/Feb/2016:19:44:56 +0100] "GET http://stream-full.selfip.com:8000/get.php?username=whatisashelly&password=whatisashelly&type=m3u&output=mpegts&1=whatisashelly HTTP/1.0"
500 1091 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

I don't see how any of these requests would be related to web2py/WSGI (as they are not for internal URLs that would be served by web2py), nor how they would be related to the alleged external request to the other server (which is not at any of these URLs). Looks like someone was just trying (and failing) to proxy requests through your server.

I did not wish to say that web2py has any specific issues, but rather to learn about potential and perhaps common mistakes people do when creating web2py or wsgi apps.

With regard to "proxy abuse" specifically, WSGI and web2py play no role -- this is simply an issue of the web server (and it seems not to be a problem in your case).
 

About why I use apache
You are right of course Niphlod. The full story is just that I had a working setup with Apache without any issues, so I was focusing on app development and not choosing web servers. It worked very well so far in the context, and it's not really important to discuss this any further. I have my reasons for why things are like they are, and of course I can move to nginx.

If you can, it might not be a bad idea to switch to Nginx, but at the moment, it's not clear that Apache is really causing any problems here.

Anthony

[Robin Manoli]

So, is the above log entry from the other server (i.e., not the one you control)? I presume the "server.ip" value is the IP address of your server, hence the belief that this request is coming from your server, correct? If so, how did you get this log entry? Did the owner of the server contact you and provide it? Did they request any information from you? Can you trust that this is real (as opposed to a social engineering attempt)?

Yes this was the entry from the other server. The report of the entry was sent to the VPS provider by bitninja.io, and the VPS provider forwarded it to me asking for a solution. Bitninja didn't ask for anything else than those logs I posted here, and they said pretty much the same thing about attempting proxy requests. They seem trustable to me, although I don't see how these requests from my server keep happening on port 80 on that server after I blocked it for outgoing traffic.

[Massimo Di Pierro]

I agree with Anthony's comments here. Nothing of what is shown is web2py related. This appears to be a php exploit.

Massimo

P.S. I stand by Niphlod. He did not say anything offending and his comment was insightful. We do not recommend apache+mod_wsgi because there are better ways (nginx+uwsgi). Although this is nothing to do with the php exploit above.

[Anthony]

On Friday, February 26, 2016 at 10:57:19 AM UTC-5, Robin Manoli wrote:

So, is the above log entry from the other server (i.e., not the one you control)? I presume the "server.ip" value is the IP address of your server, hence the belief that this request is coming from your server, correct? If so, how did you get this log entry? Did the owner of the server contact you and provide it? Did they request any information from you? Can you trust that this is real (as opposed to a social engineering attempt)?

Yes this was the entry from the other server. The report of the entry was sent to the VPS provider by bitninja.io, and the VPS provider forwarded it to me asking for a solution. Bitninja didn't ask for anything else than those logs I posted here, and they said pretty much the same thing about attempting proxy requests. They seem trustable to me, although I don't see how these requests from my server keep happening on port 80 on that server after I blocked it for outgoing traffic.

Note, Bitninja sells server security services (i.e., they have an interest in convincing you that you've got a vulnerability so you will buy their services). A lot of folks seem to think they generate fake reports as a marketing scam -- see:

https://www.lowendtalk.com/discussion/69911/hukot-net-and-bitninja-io
https://www.lowendtalk.com/discussion/69248/bitninja-abuse-reports

Also, on their home page, both the counter and the "live" list of "attacks" are fake -- generated client-side via Javascript (no live updates from the server).

I'm not sure if they sent you more details, but I notice the alleged server log record from them does not include the timestamp, and it does not appear they gave you the host name or IP address of the allegedly attacked server. This means there is no way for you to correlate their alleged records with your own logs (i.e., you cannot match the external host/ip nor the time of the request). They have sent you a very generic and common type of attack, so it may be likely that you would have a matching request in your logs just by chance (and if you don't, all the more reason to doubt them).

If you think they're for real, tell them you at least want to see timestamps -- if you don't see a matching request in your logs around the same time, I would highly doubt their reports are real.

Anthony

[Robin Manoli]

Ok, thank you all for your kind responses!
I think I have what I need from the web2py community, and I will resolve the issue with the information provided.

If it's possible to change the name of this thread, I do not mind to do so, as for what Anthony suggested: https://www.lowendtalk.com/discussion/69248/bitninja-abuse-reports