me, too this would be interesting bastien> Date: Fri, 9 Nov 2007 09:01:09 -0600> From: dgiragosian@xxxxxxxxx> To: parasane@xxxxxxxxx> CC: robert.mena@xxxxxxxxx; php-general@xxxxxxxxxxxxx> Subject: Re: Help securing a server : Owned by W4n73d H4ck3r> > On 11/9/07, Daniel Brown <parasane@xxxxxxxxx> wrote:> >> > On Nov 9, 2007 9:27 AM, robert mena <robert.mena@xxxxxxxxx> wrote:> > > Hi,> > >> > > One server that hosts several domains ended up with the message "Owned> > > by W4n73d H4ck3r". While still performing an audit I am very> > > confident that this was caused by a php script (it is a linux server)> > > uploaded via FTP or by a defective site hosted (perhaps vulnerable> > > version of a CMS).> > >> > > The symptons seem clear, files owned by apache are vulnerable and the> > > attacker script scanned the web tree and started running.> > >> > > So, basically two questions:> > > - how to detect where this came from> > > - how to prevent it from happening again> > >> > > Thanks.> > >> > > --> > > PHP General Mailing List (http://www.php.net/)> > > To unsubscribe, visit: http://www.php.net/unsub.php> > >> > >> >> > Robert,> >> > That's really not so much a PHP question, but a general Linux> > security question. Primarily, my job is computer forensics and> > security, so if you'd like, you can reply to me off-list and I'll be> > glad to offer you a hand.> >> > --> > Daniel P. Brown> > [office] (570-) 587-7080 Ext. 272> > [mobile] (570-) 766-8107> >> > If at first you don't succeed, stick to what you know best so that you> > can make enough money to pay someone else to do it for you.> > > I'd be interested in reading this thread. OK with me to keep it on the list.> > David _________________________________________________________________ Send a smile, make someone laugh, have some fun! Start now! http://www.freemessengeremoticons.ca/?icid=EMENCA122