Hi Daniel, Thanks for the reply. I agree that there are steps that go outside php scope (chroot apache etc) but I think this partially belongs to this list specially since google shows that the same message (perhaps a copycat?) appears in tons of sites. I was hoping that someone already had tips regarding the php part (like disabling some functions etc). But since I am also copying you directly please feel free to email me privately. Thanks again. On Nov 9, 2007 11:41 AM, Daniel Brown <parasane@xxxxxxxxx> wrote: > > On Nov 9, 2007 9:27 AM, robert mena <robert.mena@xxxxxxxxx> wrote: > > Hi, > > > > One server that hosts several domains ended up with the message "Owned > > by W4n73d H4ck3r". While still performing an audit I am very > > confident that this was caused by a php script (it is a linux server) > > uploaded via FTP or by a defective site hosted (perhaps vulnerable > > version of a CMS). > > > > The symptons seem clear, files owned by apache are vulnerable and the > > attacker script scanned the web tree and started running. > > > > So, basically two questions: > > - how to detect where this came from > > - how to prevent it from happening again > > > > Thanks. > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > Robert, > > That's really not so much a PHP question, but a general Linux > security question. Primarily, my job is computer forensics and > security, so if you'd like, you can reply to me off-list and I'll be > glad to offer you a hand. > > -- > Daniel P. Brown > [office] (570-) 587-7080 Ext. 272 > [mobile] (570-) 766-8107 > > If at first you don't succeed, stick to what you know best so that you > can make enough money to pay someone else to do it for you. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php