Fingerprinting web applications

This paper describes a technique to remotely detect the version (fingerprint) of a web application. We cover WordPress, Mediawiki and Joomla in the article, but it can be easily extended to other applications.

At the end, we also give you a live tool to fingerprint any site to see if we can give the right version.

Link:
http://sucuri.net/?page=docs&title;=fingerprinting-web-apps

Quick Sucuri Update

We are very happy to announce that we reached 5 thousand (yes, 5k) sites being monitored by our Network Integrity Monitor solution.

To celebrate, we are releasing an update to our dashboard and a new Premium offering with advanced features.

That’s what you get with the Premium: (only $9.99 per month)

  • Support for password protected pages (using Basic, ntml or custom POST authentication)
  • .

  • Support for private RSS feeds
  • Granular alerting configuration (per host)
  • Option to alert only if a malware (or major site error) is detected
  • Priority support
  • Hands-on assistance removing malware when needed

Upgrade to Premium by visiting: http://sucuri.net/?page=docs&title;=premium

Any questions? Let us know in the comments or via email!

Don’t forget to follow us on Twitter: http://twitter.com/sucuri_security .

Thanks again!

New Security Bloggers Network (SBN) member

We are very happy to be the newest member of the Security Bloggers Network (SBN). Thanks to Alan Shimel for setting this up very quickly and welcoming us.

You can expect lots of updates from our Honeypot analysis, as well as news of what is happening over at http://sucuri.net and the new research we are doing.

If you are interested in what we do, check out our Network Integrity Monitoring solution:

Be notified when the integrity of your Internet presence is changed.

* DNS and Whois Hijacking monitoring
* Web site defacement, malware and blacklist detection
* Receive alerts showing WHAT changed, not only that it happened
* Be the FIRST to know if something is ever altered or unavailable!
* Try now, it is free and easy to get started.

Downforeveryoneorjustme is down

The service http://www.downforeveryoneorjustme.com/ has been down for at least a few hours already. I got the first notification via sucuri.net a few hours ago saying that the page has been changed:

Content changed:
> Index of /
>
> * cgi-bin/
>
> Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.7a mod_auth_passthrough/2.1
> mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.11 Server at downforeveryoneorjustme.com Port 80

After that, another alert saying that the page was offline and that their name server was not responding:

Site offline: http://www.downforeveryoneorjustme.com
downforeveryoneorjustme.com: no DNS servers could be reached

What I found weird was the page change before the DNS issues… It shows again how useful our Network Integrity Monitor solution can be to look at these issues.

Honeypot analysis – Looking at SSH scans

An integral part of the Sucuri project is to research and monitor current attacks as a way to improve our defense techniques. To achieve that, we have been running a few Honeypots for almost a year and collecting data from the attacks used and learning from them.

After a year, I think we are ready to start sharing the information we have learned…

The first step was to create a page with information about the systems involved on web attacks. We also have two blacklists updated daily, the first one is composed of the domains that are hosting the malware/php/perl scripts, while the second blacklist is composed of the IP addresses that are actively scanning our honeypots. You can check them out, plus the tools used at Blacklist and Research based on web attacks.

Now, the second step is to write about the attacks we are seeing to help educate others…

Looking at SSH scans

All our honeypots have a modified SSH server running where we collect every connection attempt, user name and password used and everything typed if the attacker gets access via SSH. During the course of 1 year, we recorded more than 1,600 different SSH scans to our systems. The data bellow is only for the last few months and the first number you see is in how many different scans it was logged.

TOP 50 user/password combination

# USER, PASS
16 oracle, oracle
13 root, root
12 root, abc123
12 root, 123456
11 tester, test
10 uploader, uploader
10 test123, spam
10 qwerty, testuser
10 qazwsxedc, tester
10 password, test1
10 password, john
10 password, cstrike
10 123456, testuser
10 123456, test2
10 123456, raqbackup
10 123456, gamer
10 123456, cvsadm
10 123456, calendar
10 123456, bill
9 root, 123qwe
9 mike, mike
9 agata, agata
8 test, test123
8 root, qwerty
8 marketing, marketing
8 johan, johan
8 joan, joan
8 ftp, ftp123
8 ftp, ftp
8 carla, carla
8 bruno, bruno
8 admin, admin
8 123, user
7 test, test
7 tech, tech
7 root, password
7 ronaldo, ronaldo
7 raimundo, raimundo
7 nick, nick
7 max, max
7 library, library
7 jeff, jeff
7 internet, internet
7 hans, hans
7 grace, grace
7 ftp, ftpuser
7 frank, frank
7 francisco, francisco
7 francis, francis

It is interesting to note that in the first column, we have the user name and we see many entries for 123456 with the password of testuser or bill. My guess? Someone messed up the password lists and inverted the order… Anyone have ideas?

Top 50 User names used

# USER
241 root
221 password
100 admin
87 test
87 qwerty
72 www
68 123
67 000000
66 111111
65 1234567
63 asdfgh
59 testing
59 test123
58 abc123
53 pass123
52 qazwsx
50 tester
48 server
47 abcdef
46 testing123
46 testing1
46 qazwsxedc
45 zxcvbnm
45 zxcvbn
45 testtest
40 oracle
39 ftp
33 test1
32 passwd
31 tester123
31 tester1
31 pass
30 pgsql
29 operator
28 dan
27 administrator
26 master
26 bin
25 oper
24 nobody
22 backup
21 postgres
21 mail
21 daemon
21 87654321
21 654321
20 office
19 test2
18 ts
17 mike
17 guest
16 monica

TOP 50 Passwords used

# PASS
1427 root
346 test
305 123456
264 testuser
259 tester
242 test123
241 testing
240 test1
236 test2
230 test4
230 test3
113 12345
106 admin
75 user
69 nobody
69 123
65 1234
63 nick
59 webadmin
50 webmaster
49 oracle
48 web
46 password
43 news
42 info
40 sysadm
37 mysql
36 eqidemo
36 cvsadm
34 spam
31 administrator
30 uploader
28 lp
27 system
27 john
27 jack
27 fred
27 bill
26 visitor
26 daily
26 cstrike
25 techsupport
25 sql
25 smtp
23 qwerty
23 michael
22 weblogic
22 webalizer
22 toor
22 sys

Complex password logged

Most of the scan attempts were using very common passwords, but some of them had really complex passwords that I can only imagine that are used as backdoors or as default passwords for some common systems. Anyone have clues? I “googled” and didn’t find anything..

# USER, PASS
5 software, cvsroot
5 soft123, sourceforge
5 rosymdelfin, conautoveracruz
1 root, tiganilaflorinteleorman
1 belltrix, spaf@r?_ene59p9e9rewr*katr
1 tiganilaflorinteleorman, root
1 morrigan, siamouziesw7unla70lafrl3t0l3frle4lu
1 sadmin, &thecentercannothold;&
1 saddleman357, safe
1 sachin, f9uthlavIaPhlawroEXi
1 admin, b#5rum$ph!r!Keyufawre?a3r6
1 miquelfi, B|*Nsq|TO$~b
1 root, an0th3rd@y
1 admin, 63375312012a
1 root, zEfrephaq5qAnedufrethekuW
1 root, z1x2c3v4b5n6
1 root, xsw21qaz
1 root, wiu2ludrlamoatiuTriu
1 root, teiubescdartunumaiubestiasacahaidesaterminam
1 root, siamouziesw7UNla70lafrl3t0l3frlE4lU
1 root, rough46road15
1 root, fiatmx1q2w3e
1 root, empire12
1 root, efKO1$4?
1 root, eempire99
1 root, discovery
1 root, dave
1 root, d3lt4f0rc3
1 root, celes3cat
1 root, bleCroujouwLUswOEdrlAfo6w
1 root, bUspamaxegEGuyU52PEt6estU
1 root, asdfghjkl
1 root, apple
1 root, apache
1 root, an0th3rd@y
1 root, admin321321
1 root, admin1
1 root, admin
1 root, abcd1234
1 root, a1s2d3f4g5h6
1 root, WrIaRoeThIespOeh3AwriufLetiu7Tlu11u
1 root, QT3CUCCj
1 root, Pr99*35a!ra-EwruvU3E@rAtUk
1 root, N6a4t4u8OEwiaW8i7HLaqLaki
1 root, Liteon81
1 root, B_$Aj3y3#UCraveVE5e23er@P4
1 root, BP5FbGRr
1 root, 63375312012a
1 root, 1z2x3c4v5b6n
1 root, 1qaz2wsx
1 root, 1q2w3e4r5t6y
1 root, 1q2w3e4r5t
1 root, 1q2w3e4r
1 root, 1a2s3d4f5g6hy
1 root, +#SGU9&rbf-;#
1 root, !@#$%^&*(
1 root, !@#$%
1 root, !@#$
1 root, !@#
1 root, +#sgu9&rbf-;#
1 root, )(*&^%$#@!
1 root, &thecentercannothold;&
1 root, %5%7%4%5%1%4%8%7
1 oracle, $changeme$
1 nobody, $changeme$
1 news, $changeme$
1 $ passwd
1 root, !@#$%^&*()
1 root, !!!
1 qeqawrexudaducu7eyuswacez, root
1 qazwsxeds, root
1 qazwsxedc, root
1 qazwsx, user
1 q16060502141279, q16060502141279
1 pr99*35a!ra-ewruvu3e@ratuk, admin
1 n6a4t4u8oewiaw8i7hlaqlaki, root
1 admin, miemleh9esplawriuthiewias
1 admin, J34a47nu
1 zefrephaq5qanedufrethekuw, sadmin
1 zander, zechsmerquise88
1 root, zaxscd13524
1 zander, zechsmerquise88
1 yxwvutseqponmlkjihgfedcba, root
1 yuneneli, z11060510412854
1 yourdotw, ip46262
1 xgridagent, xgridcontroller
1 xj050i7bfa, root
1 wriaroethiespoeh3awriufletiu7tlu11u, kjetter
1 root, wolfiz0r@
1 admin, wolfiz0r@
1 wmassma, wolf
1 wlp, wmassma
1 wlan, wlp
1 wkoweg, wlan
1 root, wiu2ludrlamoatiutriu
1 ups650cl, lbjlive
1 root, unlocker
1 u33977059, ubuntu
1 u231006, u33977059
1 u208417, u231006
1 u207114, u208417
1 tyson, u207114
1 ska, skandinavia
1 sjfconsulting, ska
1 sjaekel, sjfconsulting

That’s it.. If you want me to run more queries or generate more stats, let me know and I will update this post.

A closer look at the iiscan

The free IIScan was recently announced on the full-disclosure list and I took the time to review it. They announced it as a new generation web app security platform to detect XSS, sql injection, etc. All online and free.

Let’s see how it worked… I tried it against the http://sucuri.net site and that’s what they did:

IP addresses used
They used two ips: 216.18.22.46 and 58.60.26.171

User agent
That’s what their user agent looked like: “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0″

Actions
They started by trying to check the 404 results and getting a few initial files:

GET / HTTP/1.0 200
GET /never_could_exist_file.nosec HTTP/1.0 404
GET /never_could_exist_file_nosec.aspx HTTP/1.0 404
GET /robots.txt HTTP/1.1 404

After that, they tried the PUT, TRACE, TRACK and DELETE methods (sometimes more than once for the same file):

TRACE /TRACE_test HTTP/1.1 200
PUT /jsky_web_scanner_test_file.txt HTTP/1.1 405
PUT /jsky_test.txt HTTP/1.1 405
DELETE /Jsky_test_no_exists_file.txt HTTP/1.1 405
TRACE /TRACE_test HTTP/1.1 200
TRACK /TRACK_test HTTP/1.1 501

After that they tried a few more simple attacks:

GET /%3Cscript%3Ealert(42873) HTTP/1.1 404
GET /%3Cscript%3Ealert(42873).do HTTP/1.1 404
GET /%3Cscript%3Ealert(42873) HTTP/1.1 404
GET /%3Cscript%3Ealert(42873).do HTTP/1.1 404

Then looked for common mistakes, like zipped php files, logs expose, etc. Plus it checked for common application directories (wp-content, etc):


GET /_vti_bin/_vti_adm/admin.dll HTTP/1.1 404
GET / HTTP/1.0 200
GET /_vti_bin/_vti_aut/author.dll HTTP/1.1 404
GET /sitemap.gz HTTP/1.1 404
GET /_vti_bin/shtml.exe?_vti_rpc HTTP/1.1 404
GET /INSTALL.mysql.txt HTTP/1.1 404
GET / HTTP/1.0 200
GET /server-info HTTP/1.1 404
GET /install.php HTTP/1.1 404
GET /FCKeditor/editor/filemanager/upload/test.html HTTP/1.1 404
GET / HTTP/1.0 200
GET /robots.txt HTTP/1.1 404
GET /never_could_exist_file.nosec HTTP/1.0 404
GET /uploads/ HTTP/1.1 404
GET /never_could_exist_file_nosec.aspx HTTP/1.0 404
GET / HTTP/1.1 200
GET /wp-content/ HTTP/1.1 404
GET /index.php.bak HTTP/1.0 404
GET /logfiles/ HTTP/1.1 404
GET / HTTP/1.1 200
GET /index.php.BAK HTTP/1.0 404
PUT /jsky_test.txt HTTP/1.1 405
GET /index.php.zip HTTP/1.0 404
GET /jsp-examples/ HTTP/1.1 404
GET /index.php.bak HTTP/1.0 404
GET /sitemap.gz HTTP/1.1 404
GET /index.php.BAK HTTP/1.0 404
GET /INSTALL.mysql.txt HTTP/1.1 404
GET /install.php HTTP/1.1 404
GET /index.php.zip HTTP/1.0 404
GET /_vti_bin/_vti_adm/admin.dll HTTP/1.1 404
GET /rss.xml HTTP/1.1 302
GET /index.php.ZIP HTTP/1.0 404
GET /FCKeditor/editor/filemanager/upload/test.html HTTP/1.1 404
GET /_vti_bin/_vti_aut/author.dll HTTP/1.1 404
GET /_vti_bin/shtml.exe?_vti_rpc HTTP/1.1 404
GET /index.php.tar.gz HTTP/1.0 404
GET /uploads/ HTTP/1.1 404
GET /index.php.temp HTTP/1.0 404
GET /server-info HTTP/1.1 404
GET /wp-content/ HTTP/1.1 404
GET /logfiles/ HTTP/1.1 404
GET /index.php.save HTTP/1.0 404
GET /main.css HTTP/1.1 200
GET /index.php.backup HTTP/1.0 404
GET /jsp-examples/ HTTP/1.1 404
GET /index.php.orig HTTP/1.0 404
GET /log/ HTTP/1.1 404
GET /index.php~ HTTP/1.0 404
GET /data/ HTTP/1.1 404
GET /logs/ HTTP/1.1 404
GET /index.php~1 HTTP/1.0 404
GET /index.php.cs HTTP/1.0 404
GET /datas/ HTTP/1.1 404
GET /?page=home HTTP/1.1 200
GET /index.php.java HTTP/1.0 404
GET /example/ HTTP/1.1 404
GET /index.php.class HTTP/1.0 404
GET /examples/ HTTP/1.1 404
GET /index.php.rar HTTP/1.0 404
GET /upload/ HTTP/1.1 404
GET /WebService/ HTTP/1.1 404
GET /index.php.tmp HTTP/1.0 404
GET /inc/ HTTP/1.1 404
GET /include/ HTTP/1.1 404
GET /old/ HTTP/1.1 404
GET /manage/ HTTP/1.1 404
GET /db/ HTTP/1.1 404
GET /aspnet/ HTTP/1.1 404
GET /htdocs/ HTTP/1.1 404
GET /conf/ HTTP/1.1 404
GET /config/ HTTP/1.1 404
GET /private/ HTTP/1.1 404
GET /admin/ HTTP/1.1 404
GET /administrator/ HTTP/1.1 404
GET /webadmin/ HTTP/1.1 404
GET /database/ HTTP/1.1 404
GET /samples/ HTTP/1.1 404
GET /member/ HTTP/1.1 404
GET /members/ HTTP/1.1 404
GET /pass.txt HTTP/1.1 404
GET /passwd HTTP/1.1 404
GET /users.txt HTTP/1.1 404
GET /users.ini HTTP/1.1 404
GET /install.log HTTP/1.1 403
GET /database.inc HTTP/1.1 404
GET /.bash_history HTTP/1.1 404
GET /.bashrc HTTP/1.1 404
GET /Web.config HTTP/1.1 404
GET /Global.asax HTTP/1.1 404
GET /Global.asa HTTP/1.1 404
GET /Global.asax.cs HTTP/1.1 404
GET /test.asp HTTP/1.1 404
GET /test.php HTTP/1.1 404
GET /test.jsp HTTP/1.1 404
GET /test.aspx HTTP/1.1 404
GET /admin.asp HTTP/1.1 404
GET /data.mdb HTTP/1.1 404

After that, they detected my page structure and tried a few SQL injections, XSS and other attacks on them:

GET /index.php?page=scan&page;=scan?scan=88888 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%20and%205=5 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%20and%205=6 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888'%20and%20'5'='5 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888'%20and%20'5'='6 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888' HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%20and%205=5 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888'%20and%20'5'='5 HTTP/1.0 200
GET /index.php?page=scan&page;=scan?scan=88888%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 200
GET /index.html?page=home%3Cscript%3Ealert(42873)%3C/script%3E HTTP/1.1 404
GET /index.html?page=homealert(42873) HTTP/1.1 404
GET /index.html?page=home%2527 HTTP/1.0 404
GET /?page=docs&title;=daily HTTP/1.1 200
GET /index.html?page=home' HTTP/1.0 404
GET /index.html?page=home%5C' HTTP/1.0 404
GET /index.html?page=home%5C%22 HTTP/1.0 404
GET /index.html?page=homeJyI%3D HTTP/1.0 404
GET /index.html?page=home'%22 HTTP/1.0 404
GET /index.html?page=home%bf%27 HTTP/1.0 404
GET /?page=practical&pid;=13 HTTP/1.1 200
GET /index.html?page=home HTTP/1.0 404
GET /index.html?page=home'%22 HTTP/1.0 404
GET /index.html?page=home/ HTTP/1.0 404
GET /index.html?page=home HTTP/1.0 404
GET /index.html?page=home%20and%205=5 HTTP/1.0 404
GET /index.html?page=home%20and%205=6 HTTP/1.0 404
GET /index.html?page=home'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=home'%20and%20'5'='6 HTTP/1.0 404
GET /index.html?page=home%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=home%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=home' HTTP/1.0 404
GET /index.html?page=home%20and%205=5 HTTP/1.0 404
GET /index.html?page=home'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=home%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404

They also found another page inside (the daily tips) and tried more attacks:

GET /index.html?page=docs&title;=daily' HTTP/1.0 404
GET /index.html?page=docs&title;=daily%2527 HTTP/1.0 404
GET /index.html?page=docs&title;=daily' HTTP/1.0 404
GET /index.html?page=docs&title;=dail y%5C' HTTP/1.0 404
GET /index.html?page=docs&title;=daily%5C%22 HTTP/1.0 404
GET /index.html?page=docs&title;=dailyJyI%3D HTTP/1.0 404
GET /index.html?page=docs&title;=daily'%22 HTTP/1.0 404
GET /index.html?page=docs&title;=daily%bf%27 HTTP/1.0 404
GET /index.html?page=docs&title;=daily HTTP/1.0 404
GET /index.html?page=docs&title;=daily'%22 HTTP/1.0 404
GET /index.html?page=docs&title;=daily/ HTTP/1.0 404
GET /index.html?page=docs&title;=daily HTTP/1.0 404
GET /index.html?page=docs&title;=daily%20and%205=5 HTTP/1.0 404
GET /index.html?page=docs&title;=daily%20and%205=6 HTTP/1.0 404
GET /index.html?page=docs&title;=daily'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=docs&title;=daily'%20and%20'5'='6 HTTP/1.0 404
GET /index.html?page=docs&title;=daily%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=docs&title;=daily%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=docs&title;=daily' HTTP/1.0 404
GET /index.html?page=docs&title;=daily%20and%205=5 HTTP/1.0 404
GET /index.html?page=docs&title;=daily'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=docs&title;=daily%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%3Cscript%3Ealert(42873)%3C/script%3E HTTP/1.1 404
GET /index.html?page=practical&pid;=13alert(42873) HTTP/1.1 404
GET /index.html?page=practical&pid;=13' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%2527 HTTP/1.0 404
GET /index.html?page=practical&pid;=13' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%5C' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%5C%22 HTTP/1.0 404
GET /index.html?page=practical&pid;=13JyI%3D HTTP/1.0 404
GET /index.html?page=practical&pid;=13'%22 HTTP/1.0 404
GET /index.html?page=practical&pid;=13%bf%27 HTTP/1.0 404
GET /index.html?page=practical&pid;=13 HTTP/1.0 404
GET /index.html?page=practical&pid;=13'%22 HTTP/1.0 404
GET /index.html?page=practical&pid;=13/ HTTP/1.0 404
GET /index.html?page=practical&pid;=13 HTTP/1.0 404
GET /index.html?page=practical&pid;=13%20and%205=5 HTTP/1.0 404
GET /index.html?page=practical&pid;=13%20and%205=6 HTTP/1.0 404
GET /index.html?page=practical&pid;=13'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=practical&pid;=13'%20and%20'5'='6 HTTP/1.0 404
GET /index.html?page=practical&pid;=13%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=practical&pid;=13' HTTP/1.0 404
GET /index.html?page=practical&pid;=13%20and%205=5 HTTP/1.0 404
GET /index.html?page=practical&pid;=13'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=practical&pid;=13%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404

And that was the whole scan. The only issue they found was that we allowed the TRACE method, but I think they did a good job looking for different types of vulnerabilities.

VMware insecure file creation

If you are using the free VMware server on Linux, beware that the installer is creating files with insecure permissions, allowing any user to modify them.

I downloaded the latest VMware server (VMware-server-2.0.2-203138.i386) and followed the step-by-step installation script. After it was completed, OSSEC (always to the rescue) sent me a bunch of alerts about new insecure files:

File ‘/usr/lib/vmware/hostd/docroot/print.css’ is owned by root and has written permissions to anyone.
File ‘/usr/lib/vmware/hostd/docroot/client/clients.xml’ is owned by root and has written permissions to anyone.
File ‘/usr/lib/vmware/hostd/docroot/sdk/vim.wsdl’ is owned by root and has written permissions to anyone.
File ‘/usr/lib/vmware/hostd/docroot/sdk/vimService.wsdl’ is owned by root and has written permissions to anyone.
File ‘/usr/lib/vmware/hostd/docroot/sdk/vimServiceVersions.xml’ is owned by root and has written permissions to anyone.
File ‘/usr/lib/vmware/hostd/docroot/error-32×32.png’ is owned by root and has written permissions to anyone.

And these are just some of them. Everything under /usr/lib/vmware was created with 777 permissions (open for anyone to read and modify), including the vmware-server-distrib and other directories.

So, if you run vmware on a system that someone else have normal user access, you might want to “chmod -R o-rwx” to avoid problems.

*just verified on another system, with the same effect. Tried on Ubuntu 9.04 and CentOS 5.3
*My umask is set properly as 0022.