Cards and cables and exploits… oh my!
I finally got some freelance work again, so I decided it was time to invest in a little bit of backbone for my LAN. Most of my home directory on Nighthawk is mounted over NFS and I’m constantly doing strange things between boxes, so I decided that the thing most in order was an upgrade of my wired network to Gigabit. I’m honestly quite excited at the prospect of having a full 1000Mbps pipe between the computers on my LAN because it presents a rather valuable opportunity to integrate things even closer than they are now.
The upgrade was ordered on Saturday, give or take, and the first box came in today. It was just the more basic stuff from TigerDirect: the PCI cards (3 white-box Netgear GA311s) and five cat6 cables, three for Nighthawk, Bigmomma and Xombie, 1 for Scribus which already has Gigabit, and 1 for Capsaicin in the event that I decide to upgrade her.
The switch was (I hope) the best part of the deal. It’s a NetGear JGS516 ProSafe switch with 16 Gigabit ports and decent specs for a lower-end switch. I plan to hook it into my WRT54GL and continue to use the GL as a wireless AP and PPPoE gateway. That hopefully won’t be too hard to configure since the GL has auto-sensing ports (and I have a crossover cable if needed).
So I got home from school today and there was a big shiny box waiting for me at the door of the basement. I went downstairs and proceeded to install the cards in all three boxen. I fired everything up and all was well. After a little bit of browsing however, I noticed something had to be awry.
Yessir, we’ve arrived at the “exploits… oh my!” portion of this post. Thank you for your patience; it shall be rewarded momentarily, you sadistic little devil, you.
An automatic bot managed to find my old copy of RoundCube Webmail on Bigmomma. Sexy little web app; too bad they had to use a third party library that insisted on using the PCRE “e” flag. The bot managed to upload a few files into apache’s document root on Bigmomma and throw a little bit of extra code into my root .htaccess. If you want the IP address for ethical purposes and ethical purposes only (read: don’t DDoS it, just add it and its entire /24 to your blacklist because the entire network is considered malicious), it’s 91.212.65.95. It didn’t overwrite anything and I know that it didn’t get the chance to do much more, because when it added an [L] RewriteRule to the top of my .htaccess, it stopped all URLs to PHP scripts from going through my virtual host logic and thus blocked access to the malicious script that was uploaded. Moreover, the stats script that the attacker was trying to run didn’t manage to run, because it was only able to inject itself into HTML documents when the URL ended in .html or .php (or some variant thereof). My server probably looks like a honeypot now!
A forensic sweep over the system found the offending IP and vulnerable script, and pretty soon I had quarantined the modified files and restored original ones – or, in the case of that old copy of Roundcube, deleted them except for the quarantine copy.
So, there’s my little networking brawl for the day. It’s a hard life, ain’t it?