|
|
Posted by Torgny Bjers on 08/22/05 10:31
Shafiq Rehman wrote:
> My server was hacked last week and the message displayed on home page was
> "spy kidz owns your server". I researched on internet and found that this is
> some kind of trojan which infects the *.index files. It penetrate from HTTP.
> Some paople were saying that there is vulnerability in PHP. Please help how
> can I protect my server from further attacks.
Hello Shafiq,
One very common culprit in this scenario would be phpBB, especially
older versions, and if you are running PHP without safe_mode and
include_path directives, a script could very well overwrite every
world-writable (or web server writable) file on your entire server.
Happened to us once after a client had been running an old phpBB
version. We now have a set of scripts in place that scan our servers for
vulnerable scripts, phpBB among those, and alerts us when they're found
in a client's home directory.
So, to protect your server: turn on safe_mode. If clients (if you have
clients on the machine) request safe_mode to be turned off, you can do
that manually in httpd.conf for Apache (not sure about IIS on Windows).
Also, using hard include paths in the httpd.conf for each virtual host
will prevent the scripts running on a site from including/touching files
that are outside said paths unless they manage to run a shell with a PHP
script that can be activated without using php.ini, which might in this
case be another security hole.
Regards,
Torgny
Navigation:
[Reply to this message]
|