Hi all, Thanx to all of you. My server is running on Linux and there is not any phpbb running on it. If vulnerability is in my code.. Is there any way that I can find the buggy code on my server which allowed that trojan to write into all the index files. I analyzed the apache logs but did not found any thing wrong. My server is protected with firewar and only port 80 is opened. Thanx -- *** phpgurru.com <http://phpgurru.com> [A php resource provider] *** \\\|/// \\ - - // ( @ @ ) PHP is too logical for my brain +---oOOo-(_)-oOOo------------------------------------------+ | Mian Shafiq ur Rehman | phpgurru.com <http://phpgurru.com> [A php resource provider] | 107 B, New Town, Multan Road | Lahore Pakistan | | Mobile: 0300 423 9385 | | ooo0 http://www.phpgurru.com | ( ) 0ooo E-Mail: rehmanms@xxxxxxxxx +---\ (----( )------------------------------------------+ \_) ) / (_/ On 8/22/05, Torgny Bjers <torgny@xxxxxxxxxxx> wrote: > > Shafiq Rehman wrote: > > My server was hacked last week and the message displayed on home page > was > > "spy kidz owns your server". I researched on internet and found that > this is > > some kind of trojan which infects the *.index files. It penetrate from > HTTP. > > Some paople were saying that there is vulnerability in PHP. Please help > how > > can I protect my server from further attacks. > > Hello Shafiq, > > One very common culprit in this scenario would be phpBB, especially > older versions, and if you are running PHP without safe_mode and > include_path directives, a script could very well overwrite every > world-writable (or web server writable) file on your entire server. > Happened to us once after a client had been running an old phpBB > version. We now have a set of scripts in place that scan our servers for > vulnerable scripts, phpBB among those, and alerts us when they're found > in a client's home directory. > > So, to protect your server: turn on safe_mode. If clients (if you have > clients on the machine) request safe_mode to be turned off, you can do > that manually in httpd.conf for Apache (not sure about IIS on Windows). > Also, using hard include paths in the httpd.conf for each virtual host > will prevent the scripts running on a site from including/touching files > that are outside said paths unless they manage to run a shell with a PHP > script that can be activated without using php.ini, which might in this > case be another security hole. > > Regards, > Torgny > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
