Re: Phishing - Linux boxes are vulnerable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 > theres lots of vulnerable Linux servers out there, managed by poorly
 > skilled admins   - mainly teenagers playing around - ... IMHO
 > attacking a linux server is more convenient than a windows server

After setting up a secure Apache (irrespective of the distribution) a lot of 
admins go get a "php-this" or "php-that" web program from a repository.  
Unfortunately, they don't ask the question of how this thing will be 
automagically updated each time a vulnerability is fixed, so the program 
never gets updated.

Those programs get a lot of security updates (don't believe me? see 
http://www.securityfocus.com/bid and query your favorite php program). 
Look in your /var/log/httpd/error.log and you will probably see several 
hundred attempts to break into various php scripts. 

OT, a famous and recent example is the group in Canada who was busted 
for cracking web contact forms and sending  out truly massive amounts of 
spam. Their technique required the mental acumen of a 5th grader in my 
estimate, but worked because of an abundance of really poorly written web 
contact scripts which never got updated.

If the cracked script runs with sufficient authority to add a web page, the 
phishers job becomes trivial. The solution is for maintainers to make sure 
that they can notify their customers each time a security fix is made. This 
can be done in the script or by mandatory registration before a  download. 
Yum repositories and the equivalent for other distros should be helpful in 
solving this problem. 


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux