RE: [users@httpd] Hacked the website replace the index.hm page

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 07:37 PM 5/8/2005, Stuart Low wrote:
Heya,

PHP as a CGI also requires users (read, typically, morons) to add a
shebang line to their scripts.

Seems like a small, but ongoing price to pay. I guess the same question over and over could drive you nuts after a while. But then again, it seems like you could give them the a so called PHP safe dir. Call it something like that anyway and that could avoid a few questions. But that raises another question, I never have been able to find the equipment of Execcgi for PHP. It just seems like it is not done. I found one example of a guy who did this with a list of handler statements in an .htaccess file. A horrible idea. A web designer tried to make some additions to the .htaccess file, pooched it and brought down the whole website as a result :)

What we do is put in an open_basedir for
all vhosts at a bare minimum. Another favourite is the mod_suexec module
additions for mod_php (I forget the exact name).

Another countermeasure is mod_security which can block phpBB exploit
attempts (and other common ones).

Stuart

I would not tend to think very much of open_basedir by itself, but the other options you mention sound like they are worthwhile. Thanks for the info, I was curious and you filled in some blanks.

Eric



On Sun, 2005-05-08 at 19:13 -0700, Eric Frazier wrote:
> Hi,
>
> Does no one use cgi wrap anymore? I thought that the best way to handle
> this kind of thing is to run PHP as a CGI first off, and then use something
> like wrap to isolate users. Yes, lesser performance, but people running on
> shared servers get what they pay for, and it certainly makes sense to take
> their security first and performance second.
>
> Eric
>
> At 06:55 PM 5/8/2005, Gary W. Smith wrote:
> >Here is the explanation as you have already presented it:
> >
> >All users sites are owned by httpd
> >There are multiple user sites, we'll say a-z.
> >Site a is running PHPbb with a version known to be buggy.
> >Someone issues a hack against site a.  The hack says modify site b-z.
> >Apache says, why not, I own the files so I can.
> >User from site j complains because site is hacked.
> >
> >The rule of thumb is that apache can edit any file it has read/write
> >access to.
> >
> >What we have done in the past to prevent this.
> >
> >We have multiple sites running on single boxes and ensure that this
> >doesn't happen by having the files owned by the user with read-only
> >access to apache (r/w is assigned by the users at their own risk,
> >usually only to directories they need to upload to).
> >
> >If you users fail to update their versions of phpbb there isn't much you
> >can but it you are also not responsible for their failure to do so.
> >
> >We also turn on open base dir per virtual instance (all on one line).
> >php_admin_value open_basedir "/tmp:
> >/home/whateveruser/html:
> >/usr/local/horde:
> >/usr/local/lib"
> >
> >This might help, but it won't hurt!
> >
> > > ----- Original Message -----
> > > From: "Mathew Thomas" <mathew.thomas@xxxxxxxxxxx>
> > > To: <users@xxxxxxxxxxxxxxxx>
> > > Sent: Sunday, May 08, 2005 8:23 PM
> > > Subject: Re: [users@httpd] Hacked the website replace the index.hm
> >page
> > >
> > >
> > > Hi Tim,
> > >
> > > Could you please explain it bit more. There is no connection between
> >the
> > > hacked website and phpBB website.( both are different virtual host).
> >We
> > > are
> > > using php version 4.3.9. Do you mean upgrade php?
> > >
> > > Thanks
> > > Mathew
> > >
> > >
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP Server Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> >    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux