url = http://domains.safaricom.co.ke/webim/client.php result = Could not connect: Access denied for user 'ccn'@'localhost' (using password: YES) :) Jangita | +254 76 918383 | MSN & Y!: jangita@yahoo.com Skype: jangita | GTalk: jangita.nyagudi@gmail.com
On Wed, Sep 29, 2010 at 4:51 PM, Jangita <jangita@jangita.com> wrote:
url = http://domains.safaricom.co.ke/webim/client.php
result = Could not connect: Access denied for user 'ccn'@'localhost' (using password: YES)
Are these guys serious? Hosting the database server on the same machine as the web server?
hehe, this is a nice one. Time for SQL injections to start!!!! On Wed, Sep 29, 2010 at 4:55 PM, Peter Karunyu <pkarunyu@gmail.com> wrote:
On Wed, Sep 29, 2010 at 4:51 PM, Jangita <jangita@jangita.com> wrote:
url = http://domains.safaricom.co.ke/webim/client.php
result = Could not connect: Access denied for user 'ccn'@'localhost' (using password: YES)
Are these guys serious? Hosting the database server on the same machine as the web server?
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Are these guys serious? Hosting the database server on the same machine as the web server?
Not affiliated with Safaricom but what is the issue you have with hosting dbase and web on the same server, I know most people do that. I do it without any complications. -- ˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙ 'spɹɐƃǝɹ ıʞnɾu pıʌɐp
Yeah, I do the same too...I think the consideration for separating the http server from a db server is when the hardware cannot support the combined load...au sio?
-------------------------------------------------- From: "Haggai Nyang" <haggai.nyang@gmail.com> Sent: Wednesday, September 29, 2010 4:06 PM To: <njukey@gmail.com>; "Skunkworks Mailing List" <skunkworks@lists.my.co.ke> Subject: Re: [Skunkworks] pingili
Yeah, I do the same too...I think the consideration for separating the http server from a db server is when the hardware cannot support the combined load...au sio?
True, you could separate them so that the entire setup can take more load, many processors and memory for the apache and lots of ram and disk space for the database and also to make sure that the database server is completely in a private network. Ive heard of people flooding 3306/tcp with requests to create a DOS attack, even without knowing the username or passwords (if open to the outside world that is). I believe separating has several benefits, the downside being cost. Jangita | +254 76 918383 | MSN & Y!: jangita@yahoo.com Skype: jangita | GTalk: jangita.nyagudi@gmail.com
On Wed, Sep 29, 2010 at 4:59 PM, David Njuki <njukey@gmail.com> wrote:
Are these guys serious? Hosting the database server on the same machine as
the web server?
Not affiliated with Safaricom but what is the issue you have with hosting dbase and web on the same server, I know most people do that. I do it without any complications.
Its not about the complications, its the risk you expose yourself to. In Utopia, the database server is different from the web server and set up such that it can only be accessed from the IP address of the web server. Therefore, for someone to get unauthorized access to your database, they need to hack the web server first, then hack the database server from the web server. Two levels of obstacles. But then again, thats Utopia.
@Peter but then again you can host the web server and the db server on the same machine - and apart from where you're setting up a db master/slave setup you can have the db server running only on 127.0.0.1 - can't be visible on any physical interfaces when you nmap it...unless you can hack the web server and get to the CLI, which is another matter altogether :)
On Wed, Sep 29, 2010 at 5:06 PM, Peter Karunyu <pkarunyu@gmail.com> wrote:
On Wed, Sep 29, 2010 at 4:59 PM, David Njuki <njukey@gmail.com> wrote:
Are these guys serious? Hosting the database server on the same machine as
the web server?
Not affiliated with Safaricom but what is the issue you have with hosting dbase and web on the same server, I know most people do that. I do it without any complications.
Its not about the complications, its the risk you expose yourself to.
In Utopia, the database server is different from the web server and set up such that it can only be accessed from the IP address of the web server. Therefore, for someone to get unauthorized access to your database, they need to hack the web server first, then hack the database server from the web server. Two levels of obstacles.
But then again, thats Utopia.
Yes, that's Utopia:-) It's actually okay to have the same on the same server when you consider the security of the apps you deploy! As much as I can see, the only security threats are likely to emanate from poorly programmed web apps, not the SQL server (I mean MySQL or PgSQL, not M$ SQL!) which is pretty easy to secure. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
url=http://domains.safaricom.co.ke/asdf Not Found The requested URL /lsadfgbhn was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9 Server at domains.safaricom.co.ke Port 80 hhhmmmm!!! On Wed, Sep 29, 2010 at 5:27 PM, Odhiambo Washington <odhiambo@gmail.com> wrote:
On Wed, Sep 29, 2010 at 5:06 PM, Peter Karunyu <pkarunyu@gmail.com> wrote:
On Wed, Sep 29, 2010 at 4:59 PM, David Njuki <njukey@gmail.com> wrote:
Are these guys serious? Hosting the database server on the same machine as the web server?
Not affiliated with Safaricom but what is the issue you have with hosting dbase and web on the same server, I know most people do that. I do it without any complications.
Its not about the complications, its the risk you expose yourself to.
In Utopia, the database server is different from the web server and set up such that it can only be accessed from the IP address of the web server. Therefore, for someone to get unauthorized access to your database, they need to hack the web server first, then hack the database server from the web server. Two levels of obstacles.
But then again, thats Utopia.
Yes, that's Utopia:-)
It's actually okay to have the same on the same server when you consider the security of the apps you deploy! As much as I can see, the only security threats are likely to emanate from poorly programmed web apps, not the SQL server (I mean MySQL or PgSQL, not M$ SQL!) which is pretty easy to secure.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
On Wed, Sep 29, 2010 at 5:59 PM, Anthony Lenya <tlensya@gmail.com> wrote:
url=http://domains.safaricom.co.ke/asdf
Not Found
The requested URL /lsadfgbhn was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9 Server at domains.safaricom.co.ke Port 80
hhhmmmm!!!
Wow! Perhaps the versions of those apps have no security advisories affecting them, hence the lack of upgrade?? -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
@Anthony, that shows the security ignorance, nice one. Info Security 101, harden ur webserver. ./Chuks On 9/29/10, Odhiambo Washington <odhiambo@gmail.com> wrote:
On Wed, Sep 29, 2010 at 5:59 PM, Anthony Lenya <tlensya@gmail.com> wrote:
url=http://domains.safaricom.co.ke/asdf
Not Found
The requested URL /lsadfgbhn was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9 Server at domains.safaricom.co.ke Port 80
hhhmmmm!!!
Wow!
Perhaps the versions of those apps have no security advisories affecting them, hence the lack of upgrade??
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/
In my opinion, security of web apps is a cumulative task where you secure everything that can be secured within reason. So far, these are the points: 1. If a reverse DNS lookup can yield the IP address of domains.safaricom.co.ke, we have a target. 2. Due to the lack of custom 404 error handlers, we know the target runs RHEL5 3. We also know there is a database on that target, we just need to find the port its using. 4. We have a possibly working username<http://domains.safaricom.co.ke/webim/client.php>for that database, its a matter of guessing the password. 5. We know that PHP 5.2.9 <http://www.securityfocus.com/bid/36449/info> has specific vulnerabilities on RHEL5 If I was running that server, I would rather not have the facts above available to the general public, regardless of whether that server hosts "hello world" pages or not. Next question I would ask, is domains.safaricom.co.ke a target worthy of the effort?
i think its worthy, coz if u still probe around, and work your way around, u will some other boxes hidden, e.g, 41.203.208.26, and another well firewalled appserver =196.201.208.57. Lemmie not expose more. On 9/29/10, Peter Karunyu <pkarunyu@gmail.com> wrote:
In my opinion, security of web apps is a cumulative task where you secure everything that can be secured within reason. So far, these are the points:
1. If a reverse DNS lookup can yield the IP address of domains.safaricom.co.ke, we have a target. 2. Due to the lack of custom 404 error handlers, we know the target runs RHEL5 3. We also know there is a database on that target, we just need to find the port its using. 4. We have a possibly working username<http://domains.safaricom.co.ke/webim/client.php>for that database, its a matter of guessing the password. 5. We know that PHP 5.2.9 <http://www.securityfocus.com/bid/36449/info> has specific vulnerabilities on RHEL5
If I was running that server, I would rather not have the facts above available to the general public, regardless of whether that server hosts "hello world" pages or not.
Next question I would ask, is domains.safaricom.co.ke a target worthy of the effort?
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/
participants (8)
-
Anthony Lenya -
David Njuki -
Gichuki John Chuksjonia -
Gregory Okoth -
Haggai Nyang -
Jangita -
Odhiambo Washington -
Peter Karunyu