Re: [users@httpd] Security scanners.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There is about 50 virtual servers, I can't reinstall now, need to find the hole. The changed file has apache.apache ownership, so I think that the hole in web server of php.


G.



----- Original Message ----- From: "Sean Conner" <sean@xxxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx>
Sent: Thursday, April 27, 2006 8:24 PM
Subject: Re: [users@httpd] Security scanners.


It was thus said that the Great Georgy Goshin once stated:

Hello,

A few of virtual hosts on my server was hacked - the content was replaced
and I can't figure how they did it. Is there any software that will scan the
web server and checks for known security holes?

I don't know of any software [2] that will do what you ask, but having been the recipient of several hacks [1] your server may not have been compromised
through the webserver---*any* other service running could have been the
vector through which you were compromised (DNS, SQL, SMTP, etc.).  Or it
could have been an inside job (the login information to update one of your
sites was compromised).

 Until you figure out how they got in, you have two choices:

1. Turn off any services you don't need (you should do this anyway),
   change all passwords and disable all CGI scripts until they've
   been vetted clean.

2. Nuke and pave.  Reinstall the server from scratch (I only
   recommend this if you have no clue how to proceed or are truely
   paranoid) with the latest version you have on CD, then patch
   patch patch until *all* the software is to the latest version.
   You'll still want to turn off any services you don't need (or
   understand) after the install, change the passwords and disable
   any CGI scripts until they've been vetted.

 -spc (Been there, done that, don't even have a lousy tee shirt ... )

[1] The worst so far being this one:

http://boston.conman.org/2004/09/13.1
http://boston.conman.org/2004/09/14.1
http://boston.conman.org/2004/09/19.1

There have been others though:

http://boston.conman.org/2005/10/05.2

[2] Actually, I do know of some, but they're the software programs that
are currently trying to break in through an insecure webserver or
CGI scripts.  You can check your web logfiles and see plenty of
those happening.  If any of those requests are 200, then there's a
hole.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux