On Nov 9, 2007 9:27 AM, robert mena <robert.mena@xxxxxxxxx> wrote: > Hi, > > One server that hosts several domains ended up with the message "Owned > by W4n73d H4ck3r". While still performing an audit I am very > confident that this was caused by a php script (it is a linux server) > uploaded via FTP or by a defective site hosted (perhaps vulnerable > version of a CMS). > > The symptons seem clear, files owned by apache are vulnerable and the > attacker script scanned the web tree and started running. > > So, basically two questions: > - how to detect where this came from > - how to prevent it from happening again > > Thanks. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Robert, That's really not so much a PHP question, but a general Linux security question. Primarily, my job is computer forensics and security, so if you'd like, you can reply to me off-list and I'll be glad to offer you a hand. -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
