Attacking Multicore CPUs (new Vulnerability Discussion From Slashdot/The Register)
Sep 16, 2007
Attacking multicore CPUs
[url]
[url]
"The Register reports that the world of current multi-core central processing units (CPUs) just entered is facing a serious threat. A security researcher at Cambridge disclosed a new class of vulnerabilities that takes advantage of concurrency to bypass security protections such as anti-virus software The attack is based on the assumption that the software that interacts with the kernel can be used without interference. The researcher, Robert Watson, showed that a careful written exploit can attack in the little timeframe when this happens, and literally change the "words" that they are exchanging. Even if some of these dark aspects of concurrency were already known, Watson proved that real attacks can be developed, and showed that developers have to fix their code. Fast..."
i have 2 blogs with ixwebhosting.com from 1 1/2 years. from 10 days my blogs are getting attack frequently. every time i am cleaning and reporting to them. they are also clean it. but it is attacking again. They said my system has virus. (but i have latest bitdifender 2010 total security,probably the best antivirus) i also have account with 3 more hosts with many sites. everything works fine.
i am asking them why only this account getting affected if i have virus in my system.i already moved one site to another host where it is working fine now. Except this problem they are very good. So i can't left them.
if any one has experience this kind of problems, please suggest me what to do?
I learned the hard way last year when my website (on GoDaddy shared hosting) made the front page of Digg. GoDaddy suspended my account in a hurry (and didn't bother to inform me, but that's another story). I'm planning to get a VPS account with SLHost to prepare for future traffic growth.
How should I configure the server to best handle a huge spike in traffic? From what I can gather, there are a number of factors: - Max HTTP connections (MaxClients in Apache) - Max number of open file handles allowed (a kernel thing) - Virtuozzo allowed TCP connections
This post at webhostingtalk.com/showthread.php?p=4552677#post4552677 by Josh at SLHost outlines the defaults for their VPS servers:
Quote:
Are you referring to HTTP connections or other? By default, the MaxClients setting is at 256 clients and would need a recompile if you want more. The number of open files allowed is set to 1024 by default and can be raised. There are also Virtuozzo allowed TCP connections, which is set at 1200 and we've noticed that anything more than that should either be on an Enterprise VPS package or low end dedicated server at least.
Should I do any tweaking to the defaults if I want to survive another Digg onslaught?
A friend of mine is interested in starting a large internet forum to discuss hunting, fishing, target shooting, and other outdoors activities. He has asked me for some help in getting things started but I must admit that this is an area where I don't have a lot of experience. I've been involved with computers for many years now but mainly with general PC repair and the desktop support side of things.
I know these questions are rather general and may be hard to answer. I'm just trying to get some opinions that I can pass along to my friend.
1. What all would be involved in setting up a forum? I understand that he would likely use vbulletin or phpBB as the forum software.
2. Would he need to build a dedicated server and have it set up in a data center or could he use one of the "Unlimited" web hosting packages from a company such as Godaddy.com?
3. What type of costs are involved and what should he expect to pay on a monthly basis?
Godaddy has hosting packages for $14.99/month with 300GB of space and 3,000GB of transfer. Would a package like this work?
As you can see I'm really lost when it comes to starting up something like this.
i have a site which involves heavy cpu use but its in a small private network with 3 other boxes which are pretty much idle, so im wondering is their a way to use the idle cpu time /ram possibly on my main server via the network ?
I have make an argument for going with Intel chips for some new platforms. These will be used in Xen VPS hosting.
Scanning thru the products of newegg for example, it would seem first that AMD boards (Opterons) are cheaper then Intel's 775 boards. Then the Intel boards also require FB-Dimms which is a bit more expensive then Registered ram.
I know alot of hosters here prefer going with Intel. Is there any other reasons then just following the crowd? I do know Intel chips perform better but does that warrant say 300 more dollars of going with an Intel based solution?
What would be some convincing arguments for going with Intel instead of AMD chips?
Many people have some problems with vmware server on some 64bit operation systems. If your server's ram is more than 6GB, you have to have a 64bit OS but I have tried to install vmware server on a 64bit server, it seems to be crashing my vmware server every 5 min and I cant use it more until I reset this service.
Are there particular version of mysql or apache that are best suited when you want to utilize a multi-core/multi-cpu system? For example, we are currently using apache 1.3 and am not sure if it has the inherent ability to use multiple cpus to its benefit.
Or would the fact that it spawns child processes take advantage as the processes will be spawned on the different CPUs?
This security flaw came to light at the end of October and I didn't find it posted already so thought it worth mentioning having tested the helpdesks for some sites that we use and found them to be at risk. D
etails and a demo exploit URL can be found at url]
For anyone who doesn't know, XSS flaws that allow execution of arbitrary javascript can be exploited easily and without user knowledge to obtain information such as login details or session IDs. This could happen in various ways, including visiting an unrelated page with a simple URL that redirects to the vulnerable URL and then back again. Tools such as NoScript for FireFox may help protect against this on the client side.
In order to run commands from the /scripts folder. This is especially dangerous as a user can give an account reseller priviledge with full root access.
Because webshell.cgi is running with the uid/gid of apache, it can access all files which can be access with apache. And guess what.... the /scripts folder is one of them.
Because it's a CGI script, it doesn't seem as though there is an easy way to block this.
I am building a website which require a data feed from a third party data provider. I have to fill out a 'questionair' when submitting my application and I'm not sure what to put for this questions.
Question: "Have you run a vulnerability assessment of network security? What is the current assessment rating?"
I Google'd for security rating but came up blank, without any useful result. Is there a level like 1-5 or something for network security rating? I m not sure what to put on here.
I'm not against getting a shared/virtual hosting account if the a host could provide me with these ratings.
Several potential security issues have been identified with cPanel software and Horde, a 3rd party bundled application. cPanel releases prior to 11.18.4 and 11.22.2 are susceptible to security issues, which range in severity from trivial to medium-critical. Along with the discovery of these potential issues, cPanel has released a new security tool to provide users with protection from XSRF attacks.
Quote:
All STABLE and RELEASE users are strongly urged to update to their respective 11.18.5 release. CURRENT and EDGE users should update to the latest 11.22.3 release. No releases are deemed susceptible to severe, critical or root access vulnerabilities.
We are currently running ColdFusion 9 on an Apache server. After running a Webinspect scan for one of our web applications, a weak cipher vulnerability was flagged as critical. Their recommended change to the httpd.conf file is listed below. We made the change and restarted our server but the same vulnerability came up again. How to eliminate the weak cipher vulnerability?
I am using plesk 11.0.9 and I want disable ssl anonymous authentication. A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm.
We have Plesk Panel 11.5 in Virtuozzo containers (Centos 6 x86_64) and we often provide to our customers the ssh access with chroot - /usr/local/ psa/ bin/chrootsh.All we know about Shellshock Vulnerability and we already installed all fixes to bash, but chrootsh-version is still vulnerable.Here are the results of BashCheck from [URL] ..... under chrooted user:
Vulnerable to CVE-2014-6271 (original shellshock) Vulnerable to CVE-2014-7169 (taviso bug) bashcheck: line 15: 19226 Segmentation fault bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer.Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug).Do you plan to release updates for chrootsh?
Code: TMPS="/tmp/sim_cj" Line 399, file sim-2.5-3/install/sim
Code: cat $TMPS >> /etc/crontab
If a local user creates a symlink to that file, then writes to the sim_cj file being linked to, as SIM is being installed, they can influence the contents of /etc/crontab.
Contacted the vendor via email on 04/17/07, email bounced. Opened a ticket via their helpdesk ~5 days ago, no response.
Again, this is only an issue during the install, which is an extremely small window of time. Any bug that could lead to root access should be fixed, however.
i have started moving domains from Cpanel/whm server to my HSphere server that uses a new nameserver, but have come up against problem with the new NameServer.
When moving .biz .info i get error about nameserver not being resgistered, after doing some seaching it appears that some domain resgistrars (in this case 123reg) are starting to enforce a security feature whereby All registrars need the name server registered before you can point any domain name to the name server.
Diggin further i found this at stargate.com which where i have my HSphere service domain:
1.
Registering a Child Name Server as mentioned above is just the first step. The Child Name Server needs to be registered at the Registry to only serve as a non-authoritative Record should your Child Name Server not be resolvable in some extreme condition.
This Name Server would start working only after you have added an Address (A) Record or Canonical (CNAME) Record for this Name Server within the Zone for the domain name (of this Child Name Server) at your own DNS Server, thus binding the NS to the IP Address.
Examples
i. If you are running your own DNS Servers then you would need to add a Zone for the domain name your-domain-name.com and create an A Record like
ns1.your-domain-name.com. 38400 IN A 111.222.333.444
ii. If you wish to simply point your Name Servers to another Name Servers, you may add a CNAME Record to those (while ensuring that those Name Servers have an A Record within the Zone created for your Name Servers as well).
ns1.your-domain-name.com. 38400 IN CNAME ns1.service-provider.com
Also at ns1.service-provider.com there should be an Zone for your-domain-name.com with an A Record for ns1.your-domain-name.com, making it authoritative for resolving your-domain-name.com.
In most cases your ISP would have already created the above for you and you need not bother about the same.
My service domain, and one i am using for nameservers, HSphere dns settings looks like
Name TTL Class Type Data Action cp.mydomain.net 86400 IN A 85.264.15.83 Click to delete ns1.mydomain.net 86400 IN A 85.264.15.84 Click to delete ns2.mydomain.net 86400 IN A 85.264.15.85 Click to delete web.mydomain.net 86400 IN A 85.264.15.86 Click to delete mail.mydomain.net 86400 IN A 85.264.15.87 Click to delete mysql.mydomain.net 86400 IN A 85.264.15.88 Click to delete
So from what i tell i have furfilled critria?
I have to say i am a little confused over this!
I am thinking that maybe i have to make some changes at stargate.com or maybe get my co-lo provider to make changes?
I want to make my own website and wants to ask few questions
I want to register a domain name so that no else registers it, where to do it? I don't need any space to host my web just want to register that domain name. Is it possible?
When my webpage is completed, I'll have to host it somewhere like HostMonster, which 'll provide me space, so can I transfer my domain name which I have registered to HostMonster or any other one ?
Is it a good idea to use different companies for registrar and web host?
and
Do web hosts add your site automatically to search engines? I ask because godaddy has something called Traffic Blazer and it says "Traffic Blazer helps get your Web site listed with Google®, Yahoo!®, MSN® and others." and they charge $27 for two years.. So I am wondering do you need this inorde for your website to be listed or something?
Does anyone know how to register nameservers with 1and1.com. This is where I have my domains and can't find anywhere to register my new dedicated server nameservers.
Some of my clients are hosting OScommerce sites on my server(Centos5/WHM) and are requiring register golbals to be turned ON. Is there any way to have it ON only for this specific account.
IS there a way to have an OScommerce site working properly with register globals oFF.
if there is some website builder on witch i can add Login and Register lines? so people can register on the website and login anytime, and do u know if there is this fuature in RVSiteBuilder and Fantastico?, if no, can you tell me a host who provides it, and also a forum builder.
