On 24 Sep 2006, at 04:00, Gadi Evron wrote:
[...]
With thousands of sites on every server and virtual machines
everywhere,
all it takes is one insecure web application such as xxxBB or PHPxx
for
the server to be remote accessed, and for a remote connect-back
shell to
be installed. The rest is history.
Hence why I'm rather partial to the ROT13 of a certain such
application: cucOO.
[...]
We all (well, never say all, every, never, ever, etc.), many of us
face
this. What solutions have you found?
Some solutions I heard used, or utilized:
1. Remote scanning of web servers.
Well, I *did* at one point have a script that looked for files with
any of a list of MD5 sums and chmod them 000 if it found one.
Grepping for "Matt Wright" in Perl scripts and chmodding them is also
not a bad idea :)
2. Much stronger security enforcement on servers.
Actually, even bothering to use Unix user accounts rather than
running everything under the Apache uid (or sometimes nobody or
root!) would be a fine start.
3. "Quietly patching" user web applications without permission.
I would like to plead the Fifth at this point.
4. JGH - Just getting hacked.
This seems to be a popular enough technique, as long as the money
still keeps rolling in, but not one I particularly subscribe to
because the bad reputation gets round after a while.
What have you encountered? What have you done, sorry, heard of someone
else do, to combat this very difficult problem on your networks?
Hacked accounts aren't evenly distributed over the customer base. A
judiciously-applied account suspension or bollocking goes a long way.
