On Friday 21 December 2001 03:51, Bogdan Stancescu stuffed this into my mailbox:
NEVER EVER think that because they don't know your URL they won't find you!!!!!!!!!!! I've seen various people on security mailinglists stating I just have a new domain I haven't published yet and I got hacked already (or even with nimda/code red with servers on new domains that got infected within several hours without any outsiders knowing about the domain). The thing is pretty simple, a lot of people scan for webservers, so never assume they won't find you. I personally use a dynamic dns at home, which sometimes doesn't update correctly. Whatever the reason, when I need my box and the dyndns isn't correctly pointing to my home IP I simply scan the entire ISP IP range for webservers and look at each and every one of them until I find mine. Believe me, I've seen shitloads of pages nobody but the computer owner knew about, or atleast, so they think.... The point is YOU CAN AND WILL be found :-) Virtual domains is another thing, they're pretty hard. But they'll still find the webserver with which they only get the 1st domain if they don't know the domain names of the others, but still, you're not safe. Security is about securing every step you can. Hence, if your webserver or whatever was cracked or they could get the config through some exploit or something, they'd know the virtual domains. Since they want in and only got that and couldn't find any other exploits they'll be looking on the other domains for insecurities in scripts and CGI's n stuff. Regards & happy holidays people. > > > > True, but in a shared hosting environment this is very likely. > > > > > >...not to mention open source code. > > > > Oh yeah. Guess I had a mental lapse there. If you are using, say, a > > script downloaded from freshmeat.net and it happens to be poorly secured > > then obviously the entire free world is going to know how to exploit your > > copy of it....duh.... > > Actually that's exactly what I had in mind. Heck, if your point is that > they don't know your URL then what's the point in the whole security issue > anyways? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
