On 10/3/2014 3:46 PM, Omega -1911 wrote:
On Fri, Oct 3, 2014 at 3:18 PM, Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx>
wrote:
On 10/3/2014 2:10 PM, Richard wrote:
------------ Original Message ------------
Date: Friday, October 03, 2014 13:52:54 -0400
From: Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx>
To: php-general@xxxxxxxxxxxxx
Cc:
Subject: Re: hacked!!
On 10/3/2014 1:31 PM, Richard wrote:
As a note, in this day and age, I strongly recommend against
shared hosting. There was a time when it was cost-effective, but
at this point in time, virtual hosting is a much better approach.
With virtual hosting you are rather more protected from others on
the same hardware and often have access to the logs, so can see
what's going on.
- Richard
What is virtual hosting?
PS - I looked at a log but all that is there is references to
every access to every file in my domain. GET/POST/.... ips,
files, paths,blah blah blah.
What is one supposed to glean from this?
Try doing a google search for shared vs. virtual hosting -- that
should return a number of pointers you can follow.
When looking at logs it helps greatly to have the timeframe narrowed
down as tightly as possible -- so that's generally the first task.
Then, in web server logs, look for things that are out of the norm
-- e.g., a POST that has an odd name (or the names of the files in
question), or GETs that have QUERY_STRING values. Note, if you don't
properly sanitize the input (QUERY_STRING) that you're pulling from
a GET or POST, that can potentially be used as a path for doing fun
things on a site.
You should also be looking at the server security-oriented logs. In
a shared-hosting environment you likely don't have access to them,
but once you've narrowed down the likely timeframe you can talk with
your hosting provider and have them look.
- Richard
What is any log going to tell us? Only if it tells me exactly how they
got to my site will it be worthwhile. I really don't care who did it - I
just care how. That's not going to be in a log, is it?
Yes it will. The one thing that I have not seen mentioned is if this could
be due to your hosting provider not installing the latest security updates.
Often, they don't. Here is an example of what I viewed in my logs today:
[149.210.135.28] - - [03/Oct/2014:12:20:56 -0400] "GET
/wp-content/plugins/wysija-newsletters/readme.txt HTTP/1.1" 404 - "-"
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8)
Gecko/20100722 Firefox/3.6.8"
1) If you look closely, the last line is a hack attempt. It was not
successful because I have firewall rules that monitor all incoming and
outgoing traffic.
2) On shared servers, another user on the site could have an insecure
script that allowed the hacker to gain access to your account or all
accounts hosted on the server.
3) If you use the command line, please note that others can see commands
being run by you or others.
4) Before you go changing passwords, it may be REALLY important to find out
HOW they did this, because the security hole may still be there.
What makes that last line a 'hack attempt'?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php