Re: hacked!!

[Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx>]

On 10/3/2014 3:46 PM, Omega -1911 wrote:
> On Fri, Oct 3, 2014 at 3:18 PM, Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx>
> wrote:
>
> > On 10/3/2014 2:10 PM, Richard wrote:
> >
> > > ------------ Original Message ------------
> > >
> > > > Date: Friday, October 03, 2014 13:52:54 -0400
> > > > From: Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx>
> > > > To: php-general@xxxxxxxxxxxxx
> > > > Cc:
> > > > Subject: Re:  hacked!!
> > > >
> > > > On 10/3/2014 1:31 PM, Richard wrote:
> > > >
> > > > > As a note, in this day and age, I strongly recommend against
> > > > > shared hosting. There was a time when it was cost-effective, but
> > > > > at this point in time, virtual hosting is a much better approach.
> > > > > With virtual hosting you are rather more protected from others on
> > > > > the same hardware and often have access to the logs, so can see
> > > > > what's going on.
> > > > >
> > > > >
> > > > >       - Richard
> > > > >
> > > > >
> > > > >
> > > > >   What is virtual hosting?
> > > >
> > > > PS - I looked at a log but all that is there is references to
> > > > every access to every file in my domain.  GET/POST/....  ips,
> > > > files, paths,blah blah blah.
> > > >
> > > > What is one supposed to glean from this?
> > >
> > > Try doing a google search for shared vs. virtual hosting -- that
> > > should return a number of pointers you can follow.
> > >
> > > When looking at logs it helps greatly to have the timeframe narrowed
> > > down as tightly as possible -- so that's generally the first task.
> > > Then, in web server logs, look for things that are out of the norm
> > > -- e.g., a POST that has an odd name (or the names of the files in
> > > question), or GETs that have QUERY_STRING values. Note, if you don't
> > > properly sanitize the input (QUERY_STRING) that you're pulling from
> > > a GET or POST, that can potentially be used as a path for doing fun
> > > things on a site.
> > >
> > > You should also be looking at the server security-oriented logs. In
> > > a shared-hosting environment you likely don't have access to them,
> > > but once you've narrowed down the likely timeframe you can talk with
> > > your hosting provider and have them look.
> > >
> > >
> > >       - Richard
> > >
> > >
> > >   What is any log going to tell us?  Only if it tells me exactly how they
> > got to my site will it be worthwhile.  I really don't care who did it - I
> > just care how.  That's not going to be in a log, is it?
> >
> >
> > Yes it will. The one thing that I have not seen mentioned is if this could
> be due to your hosting provider not installing the latest security updates.
> Often, they don't. Here is an example of what I viewed in my logs today:
>
> [149.210.135.28] - - [03/Oct/2014:12:20:56 -0400] "GET
> /wp-content/plugins/wysija-newsletters/readme.txt HTTP/1.1" 404 - "-"
> "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8)
> Gecko/20100722 Firefox/3.6.8"
>
> 1) If you look closely, the last line is a hack attempt. It was not
> successful because I have firewall rules that monitor all incoming and
> outgoing traffic.
> 2) On shared servers, another user on the site could have an insecure
> script that allowed the hacker to gain access to your account or all
> accounts hosted on the server.
> 3) If you use the command line, please note that others can see commands
> being run by you or others.
> 4) Before you go changing passwords, it may be REALLY important to find out
> HOW they did this, because the security hole may still be there.
What makes that last line a 'hack attempt'?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php