Re: httpd - mysql - paypal.com.tar - hacker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Aug 21, 2009, at 5:47 PM, "Gregory P. Ennis" <PoMec@xxxxxxxxx> wrote:

>
> On Fri, Aug 21, 2009 at 5:31 PM, Ray Van Dolson<rayvd@xxxxxxxxxxxx>  
> wrote:
>
>>
>> Nope, but you can take steps to prevent (or make it more difficult)  
>> for
>> people that shouldn't be accessing it from accessing it.
>>
>> Apache allow from, etc... basic authentication, make sure you're  
>> using
>> HTTPS and selinux.
>
> Along these lines (following up here, though it's mostly to the OP),
> you may also want to look at your php.ini for some hardening as well.
> The default php.ini ships with allow_url_fopen enabled, which tells
> php to treat remote files like they're local. In some cases this is
> needed, but I really consider it a huge security hole, and if
> disabling doesn't break your website, I would suggest you do so.
>
> ----------------
>
> Jim,
>
> Great suggestion.  Thank you!!!!!

You weren't the only one who had phpmyadmin used to exploit their  
server.

There was a thread not too long back of another who's server was  
hacked through some phpmyadmin script injection exploit.

For everyone who reads this:

Do Not run phpmyadmin on a forward facing server!

It is for behind the firewall only! And even then to restricted users  
over SSL protected by password.

-Ross

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux