This is sort of a weird question as it seemingly involves both physical theft and virtual theft..... But here goes:
1) How do script kiddies find you? If you have a public IP address, and you are not protected behind a firewall, you will be probed by scripts. How do they find you? By port scanning large ranges of IP addresses. They often scan all the RoadRunner ips... So they start in 24.x.x.1 range and work through all of them testing out common ports (http, ftp, ssh, etc). Then, if the script finds an open port, it will test out an exploit (or a series of known exploits). For example, FTP usually runs on port 21.... If the script finds an open port 21, on a RedHat 6.0 box, it may try the remote root exploit of the ftp daemon (wuftpd). If that doesn't work, it just moves onto the next one. If you are running a private apache server, and you don't want the public to see it, then it is time to learn about firewalls. 2) broadcasting your ip Your questions are odd here.... But yes, you can often learn a fair bit about an IP. Do a reverse dns lookup on a university campus and you can often find a lot.... Maybe seat13.mathlab.university.edu. Also, you can find out a lot from what Apache sends in the headers... Example: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2 So, if I check out your server, and see that you are running PHP 4.06 on linux or solaris, a hacker could try the multipart/form-data exploit with a broken boundary check (http://security.e-matters.de/advisories/012002.html). There is a setting in Apache to limit this information in the headers so that you do not reveal what kind of OS you are running and what version of PHP and Apache you are running... I suppose this could help in limiting exploits..... Although, keeping up-to-date with versions, patches, and security alerts is a better solution. http://httpd.apache.org/docs/mod/core.html#servertokens Sam On 3/10/02 9:45 PM, "jtjohnston" <[EMAIL PROTECTED]> wrote: > Not really a php thing, more a loss of php :) ! > > My PHP-MySQL server has been stolen from my office (last night). > Security has not been doing their job! > > I noticed in the logs once where people were trying to get in by FTP on > occasion, or adding weird things to a url, when it was running just as > an IP. My question is: does my Apache server broadcast itself or its IP > for when script kiddies come check out my machine to see if they can > crash it? What does it broadcast? How did the script kiddies find me? > Can I reverse process this and see if my stolen machine still exists > anywhere? What would I look for? > > I have a ghost backup going back around four week ago, but ... > > Sigh :( > John > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
