On Thu, Jun 22, 2006 at 12:53:09PM -0400, Matthew T. O'Connor wrote:
> Is this a know problem? Have others seen it? What can I do to help
> prevent this?
>
> Thanks,
>
> Matt
Yes, it's a problem with non secure php configuration and vulnerable
php scripts.
Some suggestions:
(Already mentioned) Keep php scripts up to date! This is paramount
(Already mentioned) mount /tmp on loop with noexec
(Already mentioned) php.ini: allow_url_fopen = off
(Already mentioned) Learn how to use mod_security effectively
(Already mentioned) Block outbound tcp/80 with iptables/etc
(Already mentioned) SELinux can provide more fine grain control over
- "who" can do "what"
(Already mentioned) Use UNIX permissions to restrict access to
- wget/curl/ncftp/lynx/etc
Additional:
php.ini: disable_functions = system,exec,passthru,shell_exec,pcntl_exec
Lots of times I find something in httpd's crontab to re-infect /tmp
so use cron.deny:
echo apache/httpd/www/etc >> /etc/cron.deny
I also block outbound access to tcp/6666-6669 (irc) and tcp/6881-6889
(bittorrent) as well as non-essential outbound udp (essential: dns, ntp)
to "contain" any damage caused by malware.
It is still possible to circumvent noexec.
mod_security will only protect you from disclosed vulnerabilities.
Security is a trade off with convenience. So you must evaluate your
options. Shared web hosts tend to require convenience, while dedicated
needs lean more towards security. Become familiar with the scripts you
are running, their requirements, their security track record, and
any alternatives if they exist.
- Mike
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
