Re: Has my fedora 18 installation been hacked?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear Reindl,

I am sorry if I gave a wrong impression, but I was reffering to the tmp, cache and tmp folders inside the joomla installation, not the OS or apache ones. The whole apache document root is owned by root and has a read-only selinux policy (apache cannot write anything in there). The only folders owned by apache and had rw selinux permissions, where the cache, log & tmp folder of the joomla installation (i.e. /var/www/html/joomla/tmp). This was the folder I found two php files that were executed by calling them though a POST http request.

Regards,

George

Στις 15/3/2013 2:30 μμ, ο/η Reindl Harald έγραψε:

Am 15.03.2013 12:16, schrieb Georgios Petasis:
I suspect that it is a joomla 1.5.26 exploit. I have found two php files in the tmp folder of one web site,
and POSTs to them in the apache access log file.
I know this is an old version of joomla
this is the main problem

what your machine does / did is attack 3rd parties and this is
the most common what happens after intrusion and without your ISP
having open yes you would still not know that it happened

and this is the reason why my reaction on malinglists to
posts starzign with "i installed Fedora 14" is pure anger
because it is unacceptable and i was there on the other side
of a DDOS-Attack from many thousand ip's for nights and can
tell anybody that it is no fun try to hold the business alive
in such situations - you can be sure ALL of this thousands
attackers where hijacked servers / clients with whatever OS

and I have made the mistake to make the folders tmp, cache & log
writtable by the apache in selinux...)
the writeable is not the problem, how should they work readonly
but make them accessable AND executeable from the web is a big
mistake for several reasons:

* log: you do not want access to logfiles from outside
* cache: you do not want get applications cache readed from outside
* tmp: you do not want get temp-fiels of the application readed from outside

for any folder:
you do not want to get executed code from outside which can be injected
this affects also the log-file, i have seen attacks where php-code
was in the requests and someone found a small injection leak and
used the log file to prepare his whole script and execute it
with the injection leak
_________________________________________

i generally protect any log/temp/cache AND all folders where from
users uploaded files (miages, pdf...) are stored with disable
the php-engine and fro tmp/log deny access at all

"IfVersion" needs "mod_version.so" loaded and is used here
to prepare a smooth upgrade to Apache 2.4 after mod_security
acts correct with "mod_remoteip" behind a proxy

[harry@srv-rhsoft:~]$ cat /www/www.rhsoft.net/temp/.htaccess
<IfModule mod_php5.c>
 php_flag engine off
</IfModule>
<IfModule mod_php6.c>
 php_flag engine off
</IfModule>
<IfVersion < 2.4>
 Order deny,allow
 Deny from all
</IfVersion>
<IfVersion >= 2.4>
 Require all denied
</IfVersion>




-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux