On 11/9/07, Daniel Brown <parasane@xxxxxxxxx> wrote: > > On Nov 9, 2007 9:27 AM, robert mena <robert.mena@xxxxxxxxx> wrote: > > Hi, > > > > One server that hosts several domains ended up with the message "Owned > > by W4n73d H4ck3r". While still performing an audit I am very > > confident that this was caused by a php script (it is a linux server) > > uploaded via FTP or by a defective site hosted (perhaps vulnerable > > version of a CMS). > > > > The symptons seem clear, files owned by apache are vulnerable and the > > attacker script scanned the web tree and started running. > > > > So, basically two questions: > > - how to detect where this came from > > - how to prevent it from happening again > > > > Thanks. > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > Robert, > > That's really not so much a PHP question, but a general Linux > security question. Primarily, my job is computer forensics and > security, so if you'd like, you can reply to me off-list and I'll be > glad to offer you a hand. > > -- > Daniel P. Brown > [office] (570-) 587-7080 Ext. 272 > [mobile] (570-) 766-8107 > > If at first you don't succeed, stick to what you know best so that you > can make enough money to pay someone else to do it for you. I'd be interested in reading this thread. OK with me to keep it on the list. David
