Re: php vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/22/05, Shafiq Rehman <rehmanms@xxxxxxxxx> wrote:
> Hi all,
> 
> Thanx to all of you. My server is running on Linux and there is not any
> phpbb running on it. If vulnerability is in my code.. Is there any way that
> I can find the buggy code on my server which allowed that trojan to write
> into all the index files.

There is not hard and fast method of finding vulnerabilities. That
would make crackers(as well as admins) jobs too easy. What you can do,
is read up on some PHP security tips, including but NOT LIMITED TO
error_reporting(E_ALL), initialising all variables, not trusting form
input, etc.

If you don't have the ability to do this yourself, you can hire
someone to do a code audit for you. Chris Shiflett (brainbulb.com) I
believe provides this service.

> 
> I analyzed the apache logs but did not found any thing wrong. My server is
> protected with firewar and only port 80 is opened.
> 
> Thanx
> --
> *** phpgurru.com <http://phpgurru.com> [A php resource provider] ***
> 
> \\\|///
> \\ - - //
> ( @ @ ) PHP is too logical for my brain
> +---oOOo-(_)-oOOo------------------------------------------+
> | Mian Shafiq ur Rehman
> | phpgurru.com <http://phpgurru.com> [A php resource provider]
> | 107 B, New Town, Multan Road
> | Lahore Pakistan
> |
> | Mobile: 0300 423 9385
> |
> | ooo0 http://www.phpgurru.com
> | ( ) 0ooo E-Mail: rehmanms@xxxxxxxxx
> +---\ (----( )------------------------------------------+
> \_) ) /
> (_/
> 
> On 8/22/05, Torgny Bjers <torgny@xxxxxxxxxxx> wrote:
> >
> > Shafiq Rehman wrote:
> > > My server was hacked last week and the message displayed on home page
> > was
> > > "spy kidz owns your server". I researched on internet and found that
> > this is
> > > some kind of trojan which infects the *.index files. It penetrate from
> > HTTP.
> > > Some paople were saying that there is vulnerability in PHP. Please help
> > how
> > > can I protect my server from further attacks.
> >
> > Hello Shafiq,
> >
> > One very common culprit in this scenario would be phpBB, especially
> > older versions, and if you are running PHP without safe_mode and
> > include_path directives, a script could very well overwrite every
> > world-writable (or web server writable) file on your entire server.
> > Happened to us once after a client had been running an old phpBB
> > version. We now have a set of scripts in place that scan our servers for
> > vulnerable scripts, phpBB among those, and alerts us when they're found
> > in a client's home directory.
> >
> > So, to protect your server: turn on safe_mode. If clients (if you have
> > clients on the machine) request safe_mode to be turned off, you can do
> > that manually in httpd.conf for Apache (not sure about IIS on Windows).
> > Also, using hard include paths in the httpd.conf for each virtual host
> > will prevent the scripts running on a site from including/touching files
> > that are outside said paths unless they manage to run a shell with a PHP
> > script that can be activated without using php.ini, which might in this
> > case be another security hole.
> >
> > Regards,
> > Torgny
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> 
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux