Remote IT support tool hijacks customer webserver
On Thursday morning, IT consultant Paul Nash received an urgent call from a client whose Apache webserver had crashed the previous night and inexplicably wouldn't restart. Equally vexing, people who tried to visit the client's website during the 10-hour outage received a message advertising TeamViewer, a maker of widely used …
I take it his apache webservers are running under windows?
I'm sorry but WHY is some remote control software installing it's own web server on port 80 on the machine anyway?
Sounds like a bit of a security risk if you ask me.
I'll know to avoid that software in the future. I tend to now use LogMeIn for a lot of my remote access stuff (well to Windows machines anyway, I use SSH for Linux boxes) and although it does have a basic web server running on it, it doesn't tie up port 80 and I've never known it to interfere with any other software which is installed.
Rob
Apache would respond the same way if the software opened port 80. I have no idea if the software runs on *nix, let alone in the same manner though.
I can see why the software might want to start a webserver a-la vnc, but using port 80 seems bizarre. Not to mention it would imply the software uses an unencrypted data stream, at least via the web interface. Given remote support could often involve entering passwords, that seems like a glaring omission.
"""After he escalated the complaint, Nash finally received instructions for modifying the registry of machines running TeamViewer so its webserver won't automatically start"""
Er - as pointed out by K 4 ... that would imply Nash and company are running production grade machines using Microsoft[tm] Windows[tm], and trusting in the good faith of who? and who else??
maybe I am missing something but if I used teamview for remote admin I might just suspect it a bit earlier if all I could see was an ad for teamview on the site
I wonder just what sort of processes TeamViewer has running. I've had a few instances where a Windows test system wouldn't accept an Apache stack at port 80, with nothing unusual showing.
Those machines have TeamViewer installed for home use, so I think taking that off may solve that strange problem. It's a good thing nothing in production has this installed..
"maybe I am missing something but if I used teamview for remote admin I might just suspect it a bit earlier if all I could see was an ad for teamview on the site"
You'd think that connection would be very easy to make. But then, equally easily, I dont see how it takes 90 minutes of troubleshooting to try to fire up apache, get told it cant bind to port 80, then type netstat -b (lsof -i:80 on a non windaz server) to see what has bound to it, and shut it down.
Clearly TeamViewer should definately not be trying to autostart it's own webserver automatically for whatever reason it has and especially shouldnt on port 80 but this seems a problem that should be identifiable and correctable within minutes, rarther than almost 12 hours.
I think it uses that port to bypass firewalls when in use, similar to skype I guess.
Yesterday at work my anti virus flagged up a virus so i did a full scan of that machine (a dev server).
It flagged and removed Teamsite as a trojan.
I have to agree with the other AC, an hour and a half is a LONG time to take to figure out what was going on. However, considering it took the the CLIENT 10 hours to call him, maybe he figured they wouldn't mind paying him a bit more.
Also, what kind of idiot runs apache on windows for a production machine? If you are going to run apache, atleast do it on a proper OS. The only reason I can see of running a web server on windows is if you absolutly need IIS, say for ASP or .net
Then we wonder why people go pale and think we are screwing them over when we fix problems in minutes, yet still ask to get payed a full hour for our trouble. They are too used to getting screwed over by incomptent jackasses who can't do the job right ...
"On Thursday morning, IT consultant Paul Nash received an urgent call from a client whose Apache webserver had crashed the previous night and inexplicably wouldn't restart"
The blame lies wholly with IT consultant Paul Nash, that he configured such a system.
calls himself an administrator thats definately a 5 minute job
I dont use TeamViewer. But surly. The port for the web interface. And the fact that the web interface even runs will be set in the config?
He sounds like an incompetent sysadmin. Who couldnt even kill the process.
I mean wtf Apache on windoze, whats the point. It's like putting a wedding dress on a pig and trying to marry it.
1. If you are going to use remote management software (let us stress this - software that is giving you elevated management rights remotely!!) you must understand what it does and how it does it in detail. You cannot simply trust that the latest 'enterprise-ready tool de jour' will be secure. If you think you can, then find a new career!
2. If you call your self an IT professional as another already pointed out, working out that apache cannot start because port 80 has already been taken by another process it frankly trivial to solve. If that takes 90 minutes - find another career (windows or Unix it makes no difference).
In Holland we have a word for this sort of individual - it is 'prutser'.
Dear el reg
Quite a few articles seem to end with "we have contacted so-and-so and soon as we have a reply we'll update the article accordingly" (or something similar).
I wondered if it would make journo along like of biting the hand that feeds IT to do a year end summary with top dog awards and blooper awards.
You know, contacted so-and-so and had so many replies, contacted um-n-um ... I am sure the idea is easy to grasp?
Granted, for home PC's, its a nice piece, avoids many hassles. But for midsized places or production? Oh my...
Cant remember quite when, but id say it was 7y ago that i made it clear that any place i remoted to admin had a nice box (size not matter) running *nix. Router>Box's SSH port>Internal Network. Tunneling almost anything is a joy...
Random (but known ofc...) SSH port, 2048b key and my rather unfriendly password would make it a nice challenge to any script kidies around...
Ofc the potential for a SSH snafu was there, but in the end, id rather take my chances w/ that than trust something else...
Anyway, FAIL to TeamViewer for using a "reasonably popular" port and for the small mention of it in manual (check it, 2 lines worth and doesnt really state everything). FAIL to user too, for not checking out what DirectIn was and why on earth it would want to use UPnP to activate forwarding to port 80...
p.s. And yes, running Apache over Windoze on a production box really blows my mind... why on Earth...
Theres a good reason half the world uses unix and apache to do a proper job of hosting... You can ssh in and type things to fix them quickly. If ssh is fubar, you just log in via the terminal server. If its really fubar, you can always drop to the lom and see why...
Windows server is usually installed because the tech guy is a microsoft guy, or because they have some oem support contract that mandates it.
I always remember a incident where a *large* corporation ran their 20 webserver farm on windaz because they believed the salesmen more than their tech consultants, Week 3 some script kiddie owned the farm, only he didnt realize it was load balanced by a F4 BigIP so kept coming back and trying again. About 10 of the 20 boxes were displaying his hack and we made the news (the reg too iirc) but our company toughed it out and denied it all. The exploit was a 0day and the client couldnt risk his reputation while microsoft scrambled to fix it so we used wget to make a static copy of their site, and hosted it on a single linux box running apache. Customer feedback was how responsive it had become :D
Shiney brochures, shiney marketing. Fail.
and so far it has been excellent it is fast reliable does what i want
we were using a no name company before that charged over £1000 a year for a service that we hardly used but this one one off payment and we were able to support as many people as we like so to be honest if this is only on the free version i really couldnt give a shit.
im still gonna call to make sure.
Right about NOW
Sorry about almost spamming
Also got some info that teamviewer waits 6 min before going to port 80 so his servers may of been taking a while to start up
if port 5938 is not open then it will default to port 80
Good to know tbh
So what conclusions can we make from this article guys?
That incompetent techs use tools written by incompetent people?
The tech being incompetent because he uses Windows on production servers and took 90 mins to figure it out.
The tool being stupid because it tries to autostart services which take up common port(s).
Then you get what you pay for ;)
I still cant understand why it took anyone half an hour to figure that one out, or even why a "professional sysadmin" [sic] would be using teamviewer for anyting other than desktop support of lusers?
I mean, even without the huge clue of the "teamviewer" page appearing on port 80, don't you just look in the apache log, go "ooh, cant get hold of port 80, hmm ... netstat -tpl | grep 80 | less, ah there it is ... kill %1234, done" (I assume Windaz has some equivalent to netstat) if it takes you more than 5 minutes, then theres a clue it might be a good time to consider a career change or an OS change, depending on where the lack of clue is.
To be fair, teamviewer is a great tool for getting onto a users PC and giving it a poke, or helping your mum config her mail client, but it has no place on a production server, so they deserve all they got.
Actually, I'm still busy trying to come up with some way to parse a sentence with "production server" and "windows" in it.
TeamViewer isnt the greatest application in the world, their support is slow and sometimes unresponsive, as is the application itself. i use it once in a while, only because i cant find a better *free* program.
One of the key features and the main concerns in the design of TeamViewer are data privacy protection and performance. TeamViewer allows connections to remote computers even if they are located behind firewalls. In order to maximize the success rate when establishing a connection, TeamViewer uses different destination ports depending on their availability. If an outgoing connection to port 5938 is not possible because the firewall of the connecting machine blocks the traffic TeamViewer automatically switches to port 80 which is (and has to be) the port for web servers.
In order to maximize the performance of a connection TeamViewer also tries to establish direct Tcp connections instead of routed ones whenever possible. Therefore on the remote computer incoming ports 80 and 5938 are opened when TeamViewer is installed on a computer.
During system startup TeamViewer is designed to wait for several minutes in order to allow any installed web server to bind to port 80 so it should not happen that TeamViewer and Apache interfere. For seldom cases in which such interference happens we implemented the “This site is running TeamViewer” message to help for a quick location of the issue.
TeamViewer uses the highest security standards, all data exchanged is encrypted by 256bit AES session encoding. The software looks for incoming requests if related to TeamViewer and doesn't spy on any data. Please see our security site http://www.teamviewer.com/products/security.aspx for further information or get in touch with us.
We are very sorry if the behavior of our software caused any misinterpretation!
Constantin
TeamViewer GmbH Germany
Hey TV is a great support tool for PCs. It is not meant to remotely admin a web server. So the fault lies with Paul and not TV. Come on, that is like using a screwdriver to pound nails, use the right tool, you tool, and you will get the right results.
Fail coz the sysadmin did, not the application.
hmm i use the remote host tool quite usefull quicker than VNC
Your assurances are unsupported by any proof and are therefore worthless. Fools will take them at face value. Shrewd people will question them. Cynics will suspect the worst. "We dont spy" ... haha .. "Scouts honor"?
Lots of assumptions by many here- and a bit of haughtiness-:
1. That the admin actually built the server. Its doesn't say that. It says that he supported it. How many of us here have been forced to support a box thats not the way we would have wanted it? Or do we all of us have the luxury of refusing work?
2. Was it definitely a webserver? Lots of Windows software installs Apache as a platform. Doesn't mean the boxes PURPOSE was to serve webpages.
3. That the guy actually installed or asked for TV to be installed. Maybe it was there already?
I post because of the general unfriendly tone of the replies- far too Slashdot-like.
Geez, he uses a Windows server and he doesn't have RDP enabled?
Anyone, class, anyone?
I agree.
The evidence for this is the worthless post by a person who cynically calls himself "Steve Bush".
Sign up, sign up for The Register's weekly IT security newsletter - click here
