On Nov 9, 2007 10:48 AM, robert mena <robert.mena@xxxxxxxxx> wrote: > Hi Daniel, > > According to the audit this happened yesterday. > > I am searching astalavista but could not find anything, probably > because I am being too specific. > > From the php side (or closely) what steps would you recommend in order > to have a better security? > > I could not find a consistent 'list' of configuration settings to > disable or change besides the register_globals. > > From the system side my list so far includes (some already in place previous) > - no devel tools installed on the server (gcc etc) > - /tmp mounted with no_exec > - chroot apache > - use mod_security > > Thanks. > > > > > > > > > It's all good. We go off on tangents enough here anyway, so I > > suppose one more wouldn't hurt. ;-P > > > > The person doing this seems to be relatively new to the scene, > > only defacing websites with common vulnerabilities that you can find > > anywhere on the Internet (http://astalavista.box.sk/ for example). > > Check out Zone-H (http://www.zone-h.net/) to see if your domains are > > on there, and to see if you can build a pattern from his/her past > > exploits. That should help you in determining how he/she is doing it. > > > > You're on the right track in guessing that it was CMS-related. > > Remember how many sites and servers were compromised when phpBB > > exploits were announced and left unpatched? These jackass skript > > kiddies just Google for known versions and deface whatever they can. > > It's not like the old days where you picked a target and found a way > > in.... now it's just that you pick your way in and find a target. > > > > *yawn!* No challenge anymore.... these kids are too lazy.... > > > > > > -- > > > > Daniel P. Brown > > [office] (570-) 587-7080 Ext. 272 > > [mobile] (570-) 766-8107 > > > > If at first you don't succeed, stick to what you know best so that you > > can make enough money to pay someone else to do it for you. > > > Definitely phpSuExec on the PHP side. However, you're not addressing the problem directly, only in general scope. Go through your server logs to determine the specific method of attack first, and work down from there. Having locks on the doors is a good thing, but they don't help if you leave a window open. -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
