On Nov 9, 2007 10:05 AM, robert mena <robert.mena@xxxxxxxxx> wrote: > Hi Daniel, > > Thanks for the reply. > > I agree that there are steps that go outside php scope (chroot apache > etc) but I think this partially belongs to this list specially since > google shows that the same message (perhaps a copycat?) appears in > tons of sites. > > I was hoping that someone already had tips regarding the php part > (like disabling some functions etc). > > But since I am also copying you directly please feel free to email me privately. > > Thanks again. > > > On Nov 9, 2007 11:41 AM, Daniel Brown <parasane@xxxxxxxxx> wrote: > > > > On Nov 9, 2007 9:27 AM, robert mena <robert.mena@xxxxxxxxx> wrote: > > > Hi, > > > > > > One server that hosts several domains ended up with the message "Owned > > > by W4n73d H4ck3r". While still performing an audit I am very > > > confident that this was caused by a php script (it is a linux server) > > > uploaded via FTP or by a defective site hosted (perhaps vulnerable > > > version of a CMS). > > > > > > The symptons seem clear, files owned by apache are vulnerable and the > > > attacker script scanned the web tree and started running. > > > > > > So, basically two questions: > > > - how to detect where this came from > > > - how to prevent it from happening again > > > > > > Thanks. > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > Robert, > > > > That's really not so much a PHP question, but a general Linux > > security question. Primarily, my job is computer forensics and > > security, so if you'd like, you can reply to me off-list and I'll be > > glad to offer you a hand. > > > > -- > > Daniel P. Brown > > [office] (570-) 587-7080 Ext. 272 > > [mobile] (570-) 766-8107 > > > > If at first you don't succeed, stick to what you know best so that you > > can make enough money to pay someone else to do it for you. > > > It's all good. We go off on tangents enough here anyway, so I suppose one more wouldn't hurt. ;-P The person doing this seems to be relatively new to the scene, only defacing websites with common vulnerabilities that you can find anywhere on the Internet (http://astalavista.box.sk/ for example). Check out Zone-H (http://www.zone-h.net/) to see if your domains are on there, and to see if you can build a pattern from his/her past exploits. That should help you in determining how he/she is doing it. You're on the right track in guessing that it was CMS-related. Remember how many sites and servers were compromised when phpBB exploits were announced and left unpatched? These jackass skript kiddies just Google for known versions and deface whatever they can. It's not like the old days where you picked a target and found a way in.... now it's just that you pick your way in and find a target. *yawn!* No challenge anymore.... these kids are too lazy.... -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
