Shafiq Rehman wrote: > My server was hacked last week and the message displayed on home page was > "spy kidz owns your server". I researched on internet and found that this is > some kind of trojan which infects the *.index files. It penetrate from HTTP. > Some paople were saying that there is vulnerability in PHP. Please help how > can I protect my server from further attacks. Hello Shafiq, One very common culprit in this scenario would be phpBB, especially older versions, and if you are running PHP without safe_mode and include_path directives, a script could very well overwrite every world-writable (or web server writable) file on your entire server. Happened to us once after a client had been running an old phpBB version. We now have a set of scripts in place that scan our servers for vulnerable scripts, phpBB among those, and alerts us when they're found in a client's home directory. So, to protect your server: turn on safe_mode. If clients (if you have clients on the machine) request safe_mode to be turned off, you can do that manually in httpd.conf for Apache (not sure about IIS on Windows). Also, using hard include paths in the httpd.conf for each virtual host will prevent the scripts running on a site from including/touching files that are outside said paths unless they manage to run a shell with a PHP script that can be activated without using php.ini, which might in this case be another security hole. Regards, Torgny -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
