Re: [PHP] Help securing a server : Owned by W4n73d H4ck3r
On Nov 9, 2007 5:48 PM, robert mena <[EMAIL PROTECTED]> wrote: > Hi Daniel, > > According to the audit this happened yesterday. > > I am searching astalavista but could not find anything, probably > because I am being too specific. > > From the php side (or closely) what steps would you recommend in order > to have a better security? > > I could not find a consistent 'list' of configuration settings to > disable or change besides the register_globals. > > From the system side my list so far includes (some already in place previous) > - no devel tools installed on the server (gcc etc) > - /tmp mounted with no_exec > - chroot apache > - use mod_security > > Thanks. > > > > > > > > >It's all good. We go off on tangents enough here anyway, so I > > suppose one more wouldn't hurt. ;-P > > > >The person doing this seems to be relatively new to the scene, > > only defacing websites with common vulnerabilities that you can find > > anywhere on the Internet (http://astalavista.box.sk/ for example). > > Check out Zone-H (http://www.zone-h.net/) to see if your domains are > > on there, and to see if you can build a pattern from his/her past > > exploits. That should help you in determining how he/she is doing it. > > > >You're on the right track in guessing that it was CMS-related. > > Remember how many sites and servers were compromised when phpBB > > exploits were announced and left unpatched? These jackass skript > > kiddies just Google for known versions and deface whatever they can. > > It's not like the old days where you picked a target and found a way > > in now it's just that you pick your way in and find a target. > > > >*yawn!* No challenge anymore these kids are too lazy > > > > > > -- > > > > Daniel P. Brown > > [office] (570-) 587-7080 Ext. 272 > > [mobile] (570-) 766-8107 > > > > If at first you don't succeed, stick to what you know best so that you > > can make enough money to pay someone else to do it for you. > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > You may try the suhosin patch: http://www.hardened-php.net/suhosin/ I'm using FreeBSD and the current versions of php comes with it selected by default (probably for a good reason) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Help securing a server : Owned by W4n73d H4ck3r
That's an old SPAW exploit. Google (gotta' love how that's a verb now) for `spaw exploit` and the first result is MARC. [NOTE: All previous text cleared because this is the THIRD time I've sent the message after Mailman rejected it twice due to URLs in log inclusion.] -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Help securing a server : Owned by W4n73d H4ck3r
> >The person doing this seems to be relatively new to the scene, > > only defacing websites with common vulnerabilities that you can find > > anywhere on the Internet (http://astalavista.box.sk/ for example). > > Check out Zone-H (http://www.zone-h.net/) to see if your domains are > > on there, and to see if you can build a pattern from his/her past > > exploits. That should help you in determining how he/she is doing it. > > > >You're on the right track in guessing that it was CMS-related. > > Remember how many sites and servers were compromised when phpBB > > exploits were announced and left unpatched? These jackass skript > > kiddies just Google for known versions and deface whatever they can. > > It's not like the old days where you picked a target and found a way > > in now it's just that you pick your way in and find a target. > > > >*yawn!* No challenge anymore these kids are too lazy Are you using joomla cms ? Several google hits were about that one. My $0.02. I'll defer to the security practitioner. _ Peek-a-boo FREE Tricks & Treats for You! http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us
RE: [PHP] Help securing a server : Owned by W4n73d H4ck3r
me, too this would be interesting bastien> Date: Fri, 9 Nov 2007 09:01:09 -0600> From: [EMAIL PROTECTED]> To: [EMAIL PROTECTED]> CC: [EMAIL PROTECTED]; php-general@lists.php.net> Subject: Re: [PHP] Help securing a server : Owned by W4n73d H4ck3r> > On 11/9/07, Daniel Brown <[EMAIL PROTECTED]> wrote:> >> > On Nov 9, 2007 9:27 AM, robert mena <[EMAIL PROTECTED]> wrote:> > > Hi,> > >> > > One server that hosts several domains ended up with the message "Owned> > > by W4n73d H4ck3r". While still performing an audit I am very> > > confident that this was caused by a php script (it is a linux server)> > > uploaded via FTP or by a defective site hosted (perhaps vulnerable> > > version of a CMS).> > >> > > The symptons seem clear, files owned by apache are vulnerable and the> > > attacker script scanned the web tree and started running.> > >> > > So, basically two questions:> > > - how to detect where this came from> > > - how to prevent it from happening again> > >> > > Thanks.> > >> > > --> > > PHP General Mailing List (http://www.php.net/)> > > To unsubscribe, visit: http://www.php.net/unsub.php> > >> > >> >> > Robert,> >> > That's really not so much a PHP question, but a general Linux> > security question. Primarily, my job is computer forensics and> > security, so if you'd like, you can reply to me off-list and I'll be> > glad to offer you a hand.> >> > --> > Daniel P. Brown> > [office] (570-) 587-7080 Ext. 272> > [mobile] (570-) 766-8107> >> > If at first you don't succeed, stick to what you know best so that you> > can make enough money to pay someone else to do it for you.> > > I'd be interested in reading this thread. OK with me to keep it on the list.> > David _ Send a smile, make someone laugh, have some fun! Start now! http://www.freemessengeremoticons.ca/?icid=EMENCA122
Re: [PHP] Help securing a server : Owned by W4n73d H4ck3r
Me too. Guess a lot of us can learn something here from another's misfortune. Thanks Robert and good luck On 09/11/2007, Edward Kay <[EMAIL PROTECTED]> wrote: > > > > > > I'd be interested in reading this thread. OK with me to keep it > > on the list. > > > > Ditto. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
Re: [PHP] Help securing a server : Owned by W4n73d H4ck3r
On Nov 9, 2007 10:48 AM, robert mena <[EMAIL PROTECTED]> wrote: > Hi Daniel, > > According to the audit this happened yesterday. > > I am searching astalavista but could not find anything, probably > because I am being too specific. > > From the php side (or closely) what steps would you recommend in order > to have a better security? > > I could not find a consistent 'list' of configuration settings to > disable or change besides the register_globals. > > From the system side my list so far includes (some already in place previous) > - no devel tools installed on the server (gcc etc) > - /tmp mounted with no_exec > - chroot apache > - use mod_security > > Thanks. > > > > > > > > >It's all good. We go off on tangents enough here anyway, so I > > suppose one more wouldn't hurt. ;-P > > > >The person doing this seems to be relatively new to the scene, > > only defacing websites with common vulnerabilities that you can find > > anywhere on the Internet (http://astalavista.box.sk/ for example). > > Check out Zone-H (http://www.zone-h.net/) to see if your domains are > > on there, and to see if you can build a pattern from his/her past > > exploits. That should help you in determining how he/she is doing it. > > > >You're on the right track in guessing that it was CMS-related. > > Remember how many sites and servers were compromised when phpBB > > exploits were announced and left unpatched? These jackass skript > > kiddies just Google for known versions and deface whatever they can. > > It's not like the old days where you picked a target and found a way > > in now it's just that you pick your way in and find a target. > > > >*yawn!* No challenge anymore these kids are too lazy > > > > > > -- > > > > Daniel P. Brown > > [office] (570-) 587-7080 Ext. 272 > > [mobile] (570-) 766-8107 > > > > If at first you don't succeed, stick to what you know best so that you > > can make enough money to pay someone else to do it for you. > > > Definitely phpSuExec on the PHP side. However, you're not addressing the problem directly, only in general scope. Go through your server logs to determine the specific method of attack first, and work down from there. Having locks on the doors is a good thing, but they don't help if you leave a window open. -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Help securing a server : Owned by W4n73d H4ck3r
Hi Daniel, According to the audit this happened yesterday. I am searching astalavista but could not find anything, probably because I am being too specific. >From the php side (or closely) what steps would you recommend in order to have a better security? I could not find a consistent 'list' of configuration settings to disable or change besides the register_globals. >From the system side my list so far includes (some already in place previous) - no devel tools installed on the server (gcc etc) - /tmp mounted with no_exec - chroot apache - use mod_security Thanks. > > > >It's all good. We go off on tangents enough here anyway, so I > suppose one more wouldn't hurt. ;-P > >The person doing this seems to be relatively new to the scene, > only defacing websites with common vulnerabilities that you can find > anywhere on the Internet (http://astalavista.box.sk/ for example). > Check out Zone-H (http://www.zone-h.net/) to see if your domains are > on there, and to see if you can build a pattern from his/her past > exploits. That should help you in determining how he/she is doing it. > >You're on the right track in guessing that it was CMS-related. > Remember how many sites and servers were compromised when phpBB > exploits were announced and left unpatched? These jackass skript > kiddies just Google for known versions and deface whatever they can. > It's not like the old days where you picked a target and found a way > in now it's just that you pick your way in and find a target. > >*yawn!* No challenge anymore these kids are too lazy > > > -- > > Daniel P. Brown > [office] (570-) 587-7080 Ext. 272 > [mobile] (570-) 766-8107 > > If at first you don't succeed, stick to what you know best so that you > can make enough money to pay someone else to do it for you. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Help securing a server : Owned by W4n73d H4ck3r
On Nov 9, 2007 10:05 AM, robert mena <[EMAIL PROTECTED]> wrote: > Hi Daniel, > > Thanks for the reply. > > I agree that there are steps that go outside php scope (chroot apache > etc) but I think this partially belongs to this list specially since > google shows that the same message (perhaps a copycat?) appears in > tons of sites. > > I was hoping that someone already had tips regarding the php part > (like disabling some functions etc). > > But since I am also copying you directly please feel free to email me > privately. > > Thanks again. > > > On Nov 9, 2007 11:41 AM, Daniel Brown <[EMAIL PROTECTED]> wrote: > > > > On Nov 9, 2007 9:27 AM, robert mena <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > > > One server that hosts several domains ended up with the message "Owned > > > by W4n73d H4ck3r".While still performing an audit I am very > > > confident that this was caused by a php script (it is a linux server) > > > uploaded via FTP or by a defective site hosted (perhaps vulnerable > > > version of a CMS). > > > > > > The symptons seem clear, files owned by apache are vulnerable and the > > > attacker script scanned the web tree and started running. > > > > > > So, basically two questions: > > > - how to detect where this came from > > > - how to prevent it from happening again > > > > > > Thanks. > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > >Robert, > > > >That's really not so much a PHP question, but a general Linux > > security question. Primarily, my job is computer forensics and > > security, so if you'd like, you can reply to me off-list and I'll be > > glad to offer you a hand. > > > > -- > > Daniel P. Brown > > [office] (570-) 587-7080 Ext. 272 > > [mobile] (570-) 766-8107 > > > > If at first you don't succeed, stick to what you know best so that you > > can make enough money to pay someone else to do it for you. > > > It's all good. We go off on tangents enough here anyway, so I suppose one more wouldn't hurt. ;-P The person doing this seems to be relatively new to the scene, only defacing websites with common vulnerabilities that you can find anywhere on the Internet (http://astalavista.box.sk/ for example). Check out Zone-H (http://www.zone-h.net/) to see if your domains are on there, and to see if you can build a pattern from his/her past exploits. That should help you in determining how he/she is doing it. You're on the right track in guessing that it was CMS-related. Remember how many sites and servers were compromised when phpBB exploits were announced and left unpatched? These jackass skript kiddies just Google for known versions and deface whatever they can. It's not like the old days where you picked a target and found a way in now it's just that you pick your way in and find a target. *yawn!* No challenge anymore these kids are too lazy -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Help securing a server : Owned by W4n73d H4ck3r
> > I'd be interested in reading this thread. OK with me to keep it > on the list. > Ditto. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Help securing a server : Owned by W4n73d H4ck3r
Hi Daniel, Thanks for the reply. I agree that there are steps that go outside php scope (chroot apache etc) but I think this partially belongs to this list specially since google shows that the same message (perhaps a copycat?) appears in tons of sites. I was hoping that someone already had tips regarding the php part (like disabling some functions etc). But since I am also copying you directly please feel free to email me privately. Thanks again. On Nov 9, 2007 11:41 AM, Daniel Brown <[EMAIL PROTECTED]> wrote: > > On Nov 9, 2007 9:27 AM, robert mena <[EMAIL PROTECTED]> wrote: > > Hi, > > > > One server that hosts several domains ended up with the message "Owned > > by W4n73d H4ck3r".While still performing an audit I am very > > confident that this was caused by a php script (it is a linux server) > > uploaded via FTP or by a defective site hosted (perhaps vulnerable > > version of a CMS). > > > > The symptons seem clear, files owned by apache are vulnerable and the > > attacker script scanned the web tree and started running. > > > > So, basically two questions: > > - how to detect where this came from > > - how to prevent it from happening again > > > > Thanks. > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > >Robert, > >That's really not so much a PHP question, but a general Linux > security question. Primarily, my job is computer forensics and > security, so if you'd like, you can reply to me off-list and I'll be > glad to offer you a hand. > > -- > Daniel P. Brown > [office] (570-) 587-7080 Ext. 272 > [mobile] (570-) 766-8107 > > If at first you don't succeed, stick to what you know best so that you > can make enough money to pay someone else to do it for you. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Help securing a server : Owned by W4n73d H4ck3r
On 11/9/07, Daniel Brown <[EMAIL PROTECTED]> wrote: > > On Nov 9, 2007 9:27 AM, robert mena <[EMAIL PROTECTED]> wrote: > > Hi, > > > > One server that hosts several domains ended up with the message "Owned > > by W4n73d H4ck3r".While still performing an audit I am very > > confident that this was caused by a php script (it is a linux server) > > uploaded via FTP or by a defective site hosted (perhaps vulnerable > > version of a CMS). > > > > The symptons seem clear, files owned by apache are vulnerable and the > > attacker script scanned the web tree and started running. > > > > So, basically two questions: > > - how to detect where this came from > > - how to prevent it from happening again > > > > Thanks. > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > >Robert, > >That's really not so much a PHP question, but a general Linux > security question. Primarily, my job is computer forensics and > security, so if you'd like, you can reply to me off-list and I'll be > glad to offer you a hand. > > -- > Daniel P. Brown > [office] (570-) 587-7080 Ext. 272 > [mobile] (570-) 766-8107 > > If at first you don't succeed, stick to what you know best so that you > can make enough money to pay someone else to do it for you. I'd be interested in reading this thread. OK with me to keep it on the list. David
Re: [PHP] Help securing a server : Owned by W4n73d H4ck3r
On Nov 9, 2007 9:27 AM, robert mena <[EMAIL PROTECTED]> wrote: > Hi, > > One server that hosts several domains ended up with the message "Owned > by W4n73d H4ck3r".While still performing an audit I am very > confident that this was caused by a php script (it is a linux server) > uploaded via FTP or by a defective site hosted (perhaps vulnerable > version of a CMS). > > The symptons seem clear, files owned by apache are vulnerable and the > attacker script scanned the web tree and started running. > > So, basically two questions: > - how to detect where this came from > - how to prevent it from happening again > > Thanks. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Robert, That's really not so much a PHP question, but a general Linux security question. Primarily, my job is computer forensics and security, so if you'd like, you can reply to me off-list and I'll be glad to offer you a hand. -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Help securing a server : Owned by W4n73d H4ck3r
Hi, One server that hosts several domains ended up with the message "Owned by W4n73d H4ck3r".While still performing an audit I am very confident that this was caused by a php script (it is a linux server) uploaded via FTP or by a defective site hosted (perhaps vulnerable version of a CMS). The symptons seem clear, files owned by apache are vulnerable and the attacker script scanned the web tree and started running. So, basically two questions: - how to detect where this came from - how to prevent it from happening again Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php