memcached

memcached

#! /bin/sh
#

PORT=11211
USER=nobody
MAXCONN=1024
OPTIONS=""
DAEMON=/usr/bin/memcached

RETVAL=0
prog="memcached"

start_instance() {
        echo -n $"Starting $prog ($1): "
        start-stop-daemon --start --quiet --pidfile /var/run/memcached/memcached.$1
.pid --exec $DAEMON -- -d -p $PORT -u $USER  -m $2 -c $MAXCONN -P /var/run/memcache
d/memcached.$1.pid $OPTIONS
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/memcached.$1
        PORT=`expr $PORT + 1`
}

stop_instance() {
        echo -n $"Stopping $prog ($1): "
        start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/memcached/memc
ached.$1.pid --exec $DAEMON 
        RETVAL=$?
        echo
        if [ $RETVAL -eq 0 ] ; then
            rm -f /var/lock/memcached.$1
            rm -f /var/run/memcached/memcached.$1.pid
        fi
}
start () {
        # insure that /var/run/memcached has proper permissions
        mkdir -p /var/run/memcached
        if [ "`stat -c %U /var/run/memcached`" != "$USER" ]; then
                chown $USER /var/run/memcached
        fi

        start_instance default 64;
        start_instance block 16;
        start_instance content 128;
        start_instance filter 128;
        start_instance menu 16;
        start_instance mollom 8;
        start_instance page 8;
        start_instance views 8;
        start_instance views_data 8;
        start_instance sessions 8;
        start_instance users 8;
        start_instance path_source 8;
        start_instance patch_dest 8;
}
stop () {
        stop_instance default;
        stop_instance block;
        stop_instance content;
        stop_instance filter;
        stop_instance menu;
        stop_instance mollom;
        stop_instance page;
        stop_instance views;
        stop_instance views_data;
        stop_instance sessions;
        stop_instance users;
        stop_instance path_source;
        stop_instance patch_dest;
}

restart () {
        stop
        start
}

# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        status memcached
        ;;
  restart|reload|force-reload)
        restart
        ;;
  *)
        echo $"Usage: $0 {start|stop|status|restart|reload|force-reload}"
        exit 1
esac

exit $?

There's a very high probability that this code init script causes memcache to be world accessible, which is bad!!!
(I believe this is just a hacked version of the CentOs memcache package init script)
See http://blog.codesherpas.com/on_the_path/2010/08/securing-memcache-in-2-minutes.html

To test it on your own server, just do this:

echo "stats" | nc yourserver.com 11211

If this command works from outside your server, you're at high risk of being hacked!!

Here's my fix:

Discussion of this:

• http://www.slideshare.net/sensepost/cache-on-delivery
• http://blog.codesherpas.com/on_the_path/2010/08/securing-memcache-in-2-minutes.html

Fix:

#from an outside machine, confirm vulnerability:
echo "stats" | nc yourdomain.com 11211   # bunch of stuff

ssh yourdomain.com

sudo vim - -R +":vert new /etc/init.d/memcached" +/OPTIONS +"set noro" <<EOT
Replace OPTIONS="" with the following:

# The following was modified on 2013-07-09, see https://gist.github.com/sirkitree/492804/#comment-859686
# OPTIONS=''
OPTIONS="-l 127.0.0.1"
EOT

sudo service memcached restart # success

#confirm memcache still accessible from localhost
echo "stats" | nc localhost 11211   # bunch of stuff

exit # go back to outside machine
# confirm that lockdown is in place
echo "stats" | nc yourdomain.com 11211   # NOTHING

Finally confirm that Drupal/memcache is still working:
http://yourdomain.com/admin/reports/memcache