Never had these issues at all if you set up vhosts correctly. But agree we tend to have 2 vhosts for the domain * vhost 1 is the real vhost and handle requests * vhost 2 contains all the redirects from other domain names to the canonical one The only ServerAlias lines in vhost 1 are for development URLs which are run on different servers But we also don't expose our wordpress - but use a mirroring script to serve the site as predominantly static {takes careful design to do this!} -----Original Message----- From: Paul Kudla (SCOM.CA Internet Services Inc.) <paul@xxxxxxx> Sent: 06 July 2022 11:29 To: users@xxxxxxxxxxxxxxxx Subject: Re: site compromised and httpd log analysis [EXT] ok may or may not be related but i found i had to lock php, wordpress etc down heavely in apache especially if you are using vhosts i found one authorized site could talk to another without making things more strict yes its a pain to have one vhost per site but its the only way to fully isolate one from the other if someone executes stuff it stays within their working directory example (shows http alias etc - note the directory directives - i use a database --> script generator so its not too inconvient.) : <VirtualHost *:80> ServerName bedrockconstruction.ca ServerAlias bedrockconstruction.ca ServerAlias https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrockconstruction.ca&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=2I8OZ_jBeUEUwIOVDyTOtp8vGvpwwAi20BxIyLEQ4d0&e= Redirect permanent / https://urldefense.proofpoint.com/v2/url?u=https-3A__bedrockconstruction.ca_&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=ACmbZk0Pm3piuR1DATvB0hI5ScZQPHlJe7ZcD4xBOOY&e= </VirtualHost> <VirtualHost *:443> ServerName bedrockconstruction.ca ServerAlias bedrockconstruction.ca ServerAlias https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrockconstruction.ca&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=2I8OZ_jBeUEUwIOVDyTOtp8vGvpwwAi20BxIyLEQ4d0&e= DocumentRoot /www/bedrockconstruction.ca SSLEngine on SSLProtocol all SSLCertificateFile /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt SSLCertificateKeyFile /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key SSLCertificateChainFile /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain SuexecUserGroup www www <Directory "/www/bedrockconstruction.ca/wp-content/uploads/"> <Files "*.php"> Order Deny,Allow Deny from All </Files> </Directory> <Directory /www/bedrockconstruction.ca> php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/ </Directory> <Directory /www/bedrockconstruction.ca> php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/ </Directory> <Directory /www/bedrockconstruction.ca> php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/ </Directory> <Directory /www/bedrockconstruction.ca> php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/ </Directory> <Directory /www/bedrockconstruction.ca> php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp </Directory> <Directory "/www/bedrockconstruction.ca"> AllowOverride All php_value session.save_path "/www/bedrockconstruction.ca/" </Directory> </VirtualHost> Happy Wednesday !!! Thanks - paul Paul Kudla Scom.ca Internet Services <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.scom.ca&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=_KrQarPZVkZAVM2At-fFSlh8crzfvk75b0xPz4RBhv0&e= > 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3 Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@xxxxxxx On 7/5/2022 9:52 PM, KK CHN wrote: > https://urldefense.proofpoint.com/v2/url?u=https-3A__pastebin.com_YspPiWif&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=5Nna_6oH-BJdYmfSIPPUFiuLF-Zlf8cizzQZSIIHT2g&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__pastebin.com_YspPiWif&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=5Nna_6oH-BJdYmfSIPPUFiuLF-Zlf8cizzQZSIIHT2g&e= > > > One of the websites hosted by a customer on our Cloud infrastructure > was compromised, and the attackers were able to replace the home page > with their banner html page. > > The log files output I have pasted above. > > The site compromised was PHP 7 with MySQL. > > From the above log, can someone point out what exactly happened and how > they are able to deface the home page. > > How to prevent these attacks ? What is the root cause of this > vulnerability and how the attackers got access ? > > Any other logs or command line outputs required to trace back kindly let > me know what other details I have to produce ? > > Kindly shed your expertise in dealing with these kind of attacks and > trace the root cause and prevention measures to block this. > > Regards, > Krish > > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mailscanner.info_&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=5Eo4dqX5kQQCYJEGl4C2i4H0LtfO_U-QaP0QK5zxcts&e= >, and is > believed to be clean. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx -- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx