date:20220706

Re: [users@httpd] Apache 2.4 and php

2022-07-06 Thread Frank Gingras

Paul,

httpd does not call php includes, period. This is processed by php alone.

On Wed, 6 Jul 2022 at 18:31, Paul  wrote:

> On 2022-07-06 08:27, Frank Gingras wrote:
> > First off, I would suggest not using prefork and mod_php, unless traffic
> is
> > minimal and performance is not a concern. Nowadays, the scalable solution
> > is to use php-fpm, and use a threaded mpm like event.
>
> Many thanks. Point well taken, on my "to do" list for a long time. My
> only excuse: the production server is very stable, rarely even
> approaches 10^6 hits a day, and whispers along quite nicely on 32 (64t)
> cores - uptime currently at 326 days.  What I need to do is to use the
> sandbox (subject of this thread) to delve into Apache Solr.  I am just
> astounded that a mirror copy is failing abjectly.
> >
> > Secondly, for your issue, you will need to look into the php logs as php
> is
> > generating the response.
>
> There is absolutely nothing in the php logs -- I get the impression that
> the Apache back end is just not calling the php includes. The site
> itself was rsynced from production, everything else looks "forensically"
> identical.  Maybe I'll just rebuild it again from scratch, as I may have
> made some sort of mistake somewhere, the order of installing the various
> elements, whatever...
>
> Again thanks -- Paul
> >
> > On Tue, 5 Jul 2022 at 16:24, Paul  wrote:
> >
> >>
> >> I'm going nowhere for what must be a small glitch.  Ubuntu server
> >> 20.04LTS, Apache/2.4.41 (Ubuntu) using mpm_prefork behind Nginx proxy
> >> server.
> >>
> >> We use php 7.4 for many thousands of static pages that use e.g.  >> include 'inc/tophead.html';?> giving us "  >> lang="en"> , css, js, etc" sent to clients. Always reliable,
> >> production and backup machines delivering perfectly for many years.
> >>
> >> Just built a sandbox (to start looking at Apache Solr) as an exact
> >> replica of our production servers (but without letsencrypt), exact down
> >> to every file, version, release, permission, owner, dot and comma as far
> >> as I can see after hours of searching around.
> >>
> >> The sandbox is delivering "raw text" ,
> >> not the content of the included file. Log files give no clue -- apache
> >> just "200" responses for the  text and images, but obviously not
> >> the css, js, layout -- syslog, auth, nginx and php exactly the same as
> >> on the production servers.
> >>
> >> Suggestions, pointers, ideas would be warmly welcomed -- and save what's
> >> left of my sanity ;=}
> >>
> >> Many thanks,
> >> Paul
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Apache 2.4 and php

2022-07-06 Thread Paul

On 2022-07-06 08:27, Frank Gingras wrote:

First off, I would suggest not using prefork and mod_php, unless traffic is
minimal and performance is not a concern. Nowadays, the scalable solution
is to use php-fpm, and use a threaded mpm like event.

Many thanks. Point well taken, on my "to do" list for a long time. My
only excuse: the production server is very stable, rarely even
approaches 10^6 hits a day, and whispers along quite nicely on 32 (64t)
cores - uptime currently at 326 days. What I need to do is to use the
sandbox (subject of this thread) to delve into Apache Solr. I am just
astounded that a mirror copy is failing abjectly.

Secondly, for your issue, you will need to look into the php logs as php is
generating the response.

There is absolutely nothing in the php logs -- I get the impression that
the Apache back end is just not calling the php includes. The site
itself was rsynced from production, everything else looks "forensically"
identical. Maybe I'll just rebuild it again from scratch, as I may have
made some sort of mistake somewhere, the order of installing the various
elements, whatever...

Again thanks -- Paul

On Tue, 5 Jul 2022 at 16:24, Paul wrote:

I'm going nowhere for what must be a small glitch. Ubuntu server
20.04LTS, Apache/2.4.41 (Ubuntu) using mpm_prefork behind Nginx proxy
server.

We use php 7.4 for many thousands of static pages that use e.g. giving us " , css, js, etc" sent to clients. Always reliable,
production and backup machines delivering perfectly for many years.

Just built a sandbox (to start looking at Apache Solr) as an exact
replica of our production servers (but without letsencrypt), exact down
to every file, version, release, permission, owner, dot and comma as far
as I can see after hours of searching around.

The sandbox is delivering "raw text" ,
not the content of the included file. Log files give no clue -- apache
just "200" responses for the text and images, but obviously not
the css, js, layout -- syslog, auth, nginx and php exactly the same as
on the production servers.

Suggestions, pointers, ideas would be warmly welcomed -- and save what's
left of my sanity ;=}

Many thanks,
Paul

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] site compromised and httpd log analysis

2022-07-06 Thread Yehuda Katz

On Wed, Jul 6, 2022 at 9:08 AM KK CHN  wrote:

> On Wed, Jul 6, 2022 at 8:33 AM Yehuda Katz  wrote:
>
>> Your log doesn't start early enough. Someone uploaded a web shell (or
>> found an existing web shell) to your server, possibly using an upload for
>> that doesn't validate the input, then used that shell to run commands on
>> your server.
>>
> Here is another old log  paste
> https://zerobin.net/?a4d9f5b146676594#hkpTU0ljaG5W0GUNVEsaYqvffQilrXavBmbK+V9mzUw=
>
>

I see an entry in that log file mentioning a web shell on June 19:

175.141.226.202 - - [19/Jun/2022:03:35:03 +0530] "GET
/dashboard/upload/wordpdf/origiinal-shellbackdoor-anonymous-bypass-kak827j.php?path=/var/www/html
HTTP/1.1"

You can see the same IP address added a second hidden shell (gel4y - an
open-source hidden shell).

> I would like to know what other details / analysis we need to perform to
> find out how the attacker got access and what time the backdoor was
> installed and through what vulnerability they exploited ?
> I request your tips  to investigate further and to find the root cause of
> this kind of attack and how to prevent it in future..??
>

As I said before, you need to make sure your webserver will not try to
execute files uploaded by users.
Since you mentioned Wordpress: Wordpress is well known for having this
vulnerability because uploads are stored in a public location by default.
Make sure none of your plugins allow file uploads with
unspecified extensions - for example, an upload form for pictures should
check to make sure that what was uploaded is actually a picture before
moving it to the wp-content/uploads directory.
You should also look into blocking execution of PHP and other scripts in
the wp-content/uploads directory (and any other location an untrusted user
may be able to upload to).

- Y

Re: [users@httpd] site compromised and httpd log analysis

2022-07-06 Thread Paul Kudla (SCOM.CA Internet Services Inc.)




Happy Wednesday

Ok allow me to share some experience :

about 4 years ago 1one1 hosting, myself and a bunch of others got hacked.

this is because i was using common vhosts pointing to the web directory

because www:www were the rights (no real easy way to get around that) i 
had to lock php down (as indicated) along with wordpress etc.


It appears this is the real issue at hand, once a server is comprimised 
(regardless of the operating system at hand) it basically needs to wiped 
clean and reloaded


the config below might be like using a balistic missle when a sledge 
hammer will do ...


however touch wood i have not need hacked since

and if someone does figure out a site login (ftp,wordpress etc) then the 
damage is contained to that site and will not bleed out sideways.


unfortunately this is what is required in today's operating environment

so basically with this config

central logging that will firewall ip's on demand

wordpress fail2ban showing bad admin logins being track

people try all day long but no real issues other the the odd dos attacks 
with the firewall will fix within 20 minutes of the attack?



Hope this explains / helps .


Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 7/6/2022 8:57 AM, Frank Gingras wrote:
Cross-site contamination is not the same as exploiting insecure php 
scripts to upload malicious content.


I will agree that isolation is a good idea, but it really has little to 
do with the thread at hand.


On Wed, 6 Jul 2022 at 06:30, Paul Kudla (SCOM.CA  
Internet Services Inc.) mailto:p...@scom.ca>> wrote:



ok may or may not be related but i found i had to lock php, wordpress
etc down heavely in apache

especially if you are using vhosts

i found one authorized site could talk to another without making things
more strict

yes its a pain to have one vhost per site but its the only way to fully
isolate one from the other

if someone executes stuff it stays within their working directory

example (shows http alias etc - note the directory directives - i use a
database --> script generator so its not too inconvient.) :



ServerName bedrockconstruction.ca 
ServerAlias bedrockconstruction.ca 
ServerAlias www.bedrockconstruction.ca

Redirect permanent / https://bedrockconstruction.ca/




ServerName bedrockconstruction.ca 
ServerAlias bedrockconstruction.ca 
ServerAlias www.bedrockconstruction.ca

DocumentRoot /www/bedrockconstruction.ca 

SSLEngine on
SSLProtocol all
SSLCertificateFile
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt

SSLCertificateKeyFile
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key

SSLCertificateChainFile
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain



SuexecUserGroup www www

http://bedrockconstruction.ca/wp-content/uploads/>">

Order Deny,Allow
Deny from All



http://bedrockconstruction.ca>>
php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/


http://bedrockconstruction.ca>>
php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/



http://bedrockconstruction.ca>>
php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/



http://bedrockconstruction.ca>>
php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/



http://bedrockconstruction.ca>>
php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp



http://bedrockconstruction.ca>">
AllowOverride All
php_value session.save_path "/www/bedrockconstruction.ca/
"















Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services >
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca 

On 7/5/2022 9:52 PM, KK CHN wrote:
 > https://pastebin.com/YspPiWif

Re: [users@httpd] site compromised and httpd log analysis

2022-07-06 Thread KK CHN

On Wed, Jul 6, 2022 at 8:33 AM Yehuda Katz  wrote:

> Your log doesn't start early enough. Someone uploaded a web shell (or
> found an existing web shell) to your server, possibly using an upload for
> that doesn't validate the input, then used that shell to run commands on
> your server.
>

Yes, that was not too old log

Here is another old log  paste
https://zerobin.net/?a4d9f5b146676594#hkpTU0ljaG5W0GUNVEsaYqvffQilrXavBmbK+V9mzUw=


.

Here is another log which starts earlier than the earlier logs.  Which may
help to investigate more.

I would consider your entire server to be compromised at this point since
> you have no record of what else the attacker could have done once they had
> a shell.
>
> Yes we took the server down, and recreated the VM with an old backup. Also
informed the developer/maintainer about this simple.shell execution and the
need of regular patching of the PHP7 version and the wordpress framework
they used for hosting.

I would like to know what other details / analysis we need to perform to
find out how the attacker got access and what time the backdoor was
installed and through what vulnerability they exploited ?

I request your tips  to investigate further and to find the root cause of
this kind of attack and how to prevent it in future..??



Make sure that you do not allow users to upload files and then execute
> those files.
>
> - Y
>
> On Tue, Jul 5, 2022 at 9:53 PM KK CHN  wrote:
>
>> https://pastebin.com/YspPiWif
>>
>> One of the websites hosted  by a customer on our Cloud infrastructure was
>> compromised, and the attackers were able to replace the home page with
>> their banner html page.
>>
>> The log files output I have pasted above.
>>
>> The site compromised was PHP 7 with MySQL.
>>
>> From the above log, can someone point out what exactly happened and how
>> they are able to deface the home page.
>>
>> How to prevent these attacks ? What is the root cause of this
>> vulnerability  and how the attackers got access ?
>>
>> Any other logs or command line outputs required to trace back kindly let
>> me know what other details  I have to produce ?
>>
>> Kindly shed your expertise in dealing with these kind of attacks and
>> trace the root cause and prevention measures to block this.
>>
>> Regards,
>> Krish
>>
>>
>>

Re: [users@httpd] site compromised and httpd log analysis

2022-07-06 Thread Frank Gingras

Cross-site contamination is not the same as exploiting insecure php scripts
to upload malicious content.

I will agree that isolation is a good idea, but it really has little to do
with the thread at hand.

On Wed, 6 Jul 2022 at 06:30, Paul Kudla (SCOM.CA Internet Services Inc.) <
p...@scom.ca> wrote:

>
> ok may or may not be related but i found i had to lock php, wordpress
> etc down heavely in apache
>
> especially if you are using vhosts
>
> i found one authorized site could talk to another without making things
> more strict
>
> yes its a pain to have one vhost per site but its the only way to fully
> isolate one from the other
>
> if someone executes stuff it stays within their working directory
>
> example (shows http alias etc - note the directory directives - i use a
> database --> script generator so its not too inconvient.) :
>
>
> 
> ServerName bedrockconstruction.ca
> ServerAlias bedrockconstruction.ca
> ServerAlias www.bedrockconstruction.ca
> Redirect permanent / https://bedrockconstruction.ca/
> 
>
> 
> ServerName bedrockconstruction.ca
> ServerAlias bedrockconstruction.ca
> ServerAlias www.bedrockconstruction.ca
> DocumentRoot /www/bedrockconstruction.ca
>
> SSLEngine on
> SSLProtocol all
> SSLCertificateFile
> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
> SSLCertificateKeyFile
> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
> SSLCertificateChainFile
> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain
>
>
> SuexecUserGroup www www
>
> 
> 
> Order Deny,Allow
> Deny from All
> 
> 
>
> 
> php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/
> 
>
> 
> php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/
> 
>
> 
> php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/
> 
>
> 
> php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/
> 
>
> 
> php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp
> 
>
> 
> AllowOverride All
> php_value session.save_path "/www/bedrockconstruction.ca/"
> 
>
> 
>
>
>
>
>
>
>
>
>
>
>
>
> Happy Wednesday !!!
> Thanks - paul
>
> Paul Kudla
>
>
> Scom.ca Internet Services 
> 004-1009 Byron Street South
> Whitby, Ontario - Canada
> L1N 4S3
>
> Toronto 416.642.7266
> Main 1.866.411.7266
> Fax 1.888.892.7266
> Email p...@scom.ca
>
> On 7/5/2022 9:52 PM, KK CHN wrote:
> > https://pastebin.com/YspPiWif 
> >
> > One of the websites hosted  by a customer on our Cloud infrastructure
> > was compromised, and the attackers were able to replace the home page
> > with their banner html page.
> >
> > The log files output I have pasted above.
> >
> > The site compromised was PHP 7 with MySQL.
> >
> >  From the above log, can someone point out what exactly happened and how
> > they are able to deface the home page.
> >
> > How to prevent these attacks ? What is the root cause of this
> > vulnerability  and how the attackers got access ?
> >
> > Any other logs or command line outputs required to trace back kindly let
> > me know what other details  I have to produce ?
> >
> > Kindly shed your expertise in dealing with these kind of attacks and
> > trace the root cause and prevention measures to block this.
> >
> > Regards,
> > Krish
> >
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by *MailScanner* , and
> is
> > believed to be clean.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] NameVirtualHost fails

2022-07-06 Thread Frank Gingras

Paul,

Not sure how your example helps with the OP issue at all.

On Wed, 6 Jul 2022 at 06:40, Paul Kudla (SCOM.CA Internet Services Inc.) <
p...@scom.ca> wrote:

>
> this is how my ssl, vhosts, redirects are setup maybe this will help
>
> note any ssl website name MUST equal a valid certificate or you will get
> a cert mismatch error !!
>
> granted there are several cert authorities (free ssl etc) i have found
> its just easier to get a resale account (lots of providers opensrs,
> certigo, thwarte etc etc) and pay the 10.00 per cert.
>
> cert would be ok for www.xxx.com xnd xxx.com (aka you typically only
> need one certificate per site.)
>
> not pushing any provider, just saying letsencrypt etc does not always
> work reliabily or speed issues
>
>
>
> 
> ServerName bedrockconstruction.ca
> ServerAlias bedrockconstruction.ca
> ServerAlias www.bedrockconstruction.ca
> Redirect permanent / https://bedrockconstruction.ca/
> 
>
> 
> ServerName bedrockconstruction.ca
> ServerAlias bedrockconstruction.ca
> ServerAlias www.bedrockconstruction.ca
> DocumentRoot /www/bedrockconstruction.ca
>
> SSLEngine on
> SSLProtocol all
> SSLCertificateFile
> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
> SSLCertificateKeyFile
> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
> SSLCertificateChainFile
> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain
>
>
> SuexecUserGroup www www
>
> 
> 
> Order Deny,Allow
> Deny from All
> 
> 
>
> 
> php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/
> 
>
> 
> php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/
> 
>
> 
> php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/
> 
>
> 
> php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/
> 
>
> 
> php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp
> 
>
> 
> AllowOverride All
> php_value session.save_path "/www/bedrockconstruction.ca/"
> 
>
> 
>
>
>
> Happy Wednesday !!!
> Thanks - paul
>
> Paul Kudla
>
>
> Scom.ca Internet Services 
> 004-1009 Byron Street South
> Whitby, Ontario - Canada
> L1N 4S3
>
> Toronto 416.642.7266
> Main 1.866.411.7266
> Fax 1.888.892.7266
> Email p...@scom.ca
>
> On 7/5/2022 5:38 PM, scom...@httpd.apache.org wrote:
> > I've tried several variations but basically the error message is that
> > the certificate and the key for example2.com
> >  don't match. I thought I had set up the
> > certificate with the proper keys so something must be screwed up  with
> > the certificate. I'm working on that.
> >
> > Jack
> >
> >> On 2 Jul 2022, at 1:21, Frank Gingras  >> > wrote:
> >>
> >> What does the error log say, exactly? Note that TLS failures can be
> >> almost silent in the logs, so if a single vhost causes the startup
> >> error, then check the certificate.
> >>
> >> On Fri, 1 Jul 2022 at 17:24, jnil...@jala.com
> >>  mailto:jnil...@jala.com>>
> >> wrote:
> >>
> >> Here's an example version of my vhosts.conf file:
> >>
> >> # http redirect
> >> 
> >>  ServerName central.com 
> >>  ServerAlias www.example1.com 
> >> *.example1.com 
> >>  Redirect / https://www.example1.com/ 
> >>  ErrorLog /var/log/apache2/example1.com
> >> -error80_log
> >>  CustomLog /var/log/apache2/example1.com
> >> -access80_log combined
> >> 
> >>
> >> 
> >>  ServerName example2.com 
> >>  ServerAlias www.example2.com 
> >> *.example2.com 
> >>  Redirect / https://www.example2.com/ 
> >>  ErrorLog /var/log/apache2/example2.com
> >> -error80_log
> >>  CustomLog /var/log/apache2/example2.com
> >> -access80_log combined
> >> 
> >>
> >> # https version
> >> 
> >>  ServerAdmin webmas...@central.com 
> >>  ServerName example1.com 
> >>  ServerAlias www.example1.com 
> >> *.example1.com 
> >>  DocumentRoot "/home/data/hqwww/htdocs"
> >>  SSLEngine on
> >>  SSLProtocol all -SSLv2
> >>  SSLCertificateFile /etc/apache2/ssl.crt/example.crt
> >>  SSLCertificateKeyFile /etc/apache2/ssl.key/www.example1.com.key
> >> 
> >>  SSLCertificateChainFile /etc/apache2/ssl.crt/example1.ca
> >> -bundle
> >>  RewriteEngine On
> >>  RewriteOptions Inherit
> >>
> >>
> >>  
> >>   AllowOverride None
> >>   Options FollowSymlinks
> >>   Require all granted
> >>  
> >>
> >>
> >>   AccessFileName .htaccess
> >>
> >>  ErrorLog /var/log/apache2/example1.com
> >>

Re: [users@httpd] Apache 2.4 and php

2022-07-06 Thread Frank Gingras

First off, I would suggest not using prefork and mod_php, unless traffic is
minimal and performance is not a concern. Nowadays, the scalable solution
is to use php-fpm, and use a threaded mpm like event.

Secondly, for your issue, you will need to look into the php logs as php is
generating the response.

On Tue, 5 Jul 2022 at 16:24, Paul  wrote:

>
> I'm going nowhere for what must be a small glitch.  Ubuntu server
> 20.04LTS, Apache/2.4.41 (Ubuntu) using mpm_prefork behind Nginx proxy
> server.
>
> We use php 7.4 for many thousands of static pages that use e.g.  include 'inc/tophead.html';?> giving us "  lang="en"> , css, js, etc" sent to clients. Always reliable,
> production and backup machines delivering perfectly for many years.
>
> Just built a sandbox (to start looking at Apache Solr) as an exact
> replica of our production servers (but without letsencrypt), exact down
> to every file, version, release, permission, owner, dot and comma as far
> as I can see after hours of searching around.
>
> The sandbox is delivering "raw text" ,
> not the content of the included file. Log files give no clue -- apache
> just "200" responses for the  text and images, but obviously not
> the css, js, layout -- syslog, auth, nginx and php exactly the same as
> on the production servers.
>
> Suggestions, pointers, ideas would be warmly welcomed -- and save what's
> left of my sanity ;=}
>
> Many thanks,
> Paul
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] site compromised and httpd log analysis [EXT]

2022-07-06 Thread Paul Kudla (SCOM.CA Internet Services Inc.)




ok thats for more detail 

ok redirects simply are considered insecure when it comes to ssl certs

ie apache serves the content under the alias redirect previous to going 
towards the main site.


that will defanitely be the issue.

i ran into this myself (i have multiple domains redirected on one account ?)

my config for this is below maybe this helps ?

it handles all the domains and the http redirects

i believe the trick is to issue all of the redirects under http:// only 
pointing to one https:// is how i got around this issue.


otherwise you would need one cert per actual domain

i dont see the harm in http:// --> https:// actual site

since apache redirects it immediately?



ServerName electrokineticsolutions.com
ServerAlias electrokineticsolutions.com
ServerAlias www.electrokineticsolutions.com
ServerAlias eksolutions.ca
ServerAlias www.eksolutions.ca
ServerAlias eksolutions.ca
ServerAlias electrokineticsolutions.ca
ServerAlias www.electrokineticsolutions.ca
ServerAlias electrokineticsolutions.ca
ServerAlias electrokinetc.ca
ServerAlias www.electrokinetc.ca
ServerAlias electrokinetc.ca
ServerAlias electro-kineticsolutions.ca
ServerAlias www.electro-kineticsolutions.ca
ServerAlias electro-kineticsolutions.ca
ServerAlias electrokinetic-solutions.ca
ServerAlias www.electrokinetic-solutions.ca
ServerAlias electrokinetic-solutions.ca
ServerAlias electro-kinetic-solutions.ca
ServerAlias www.electro-kinetic-solutions.ca
ServerAlias electro-kinetic-solutions.ca
ServerAlias ek-solutions.ca
ServerAlias www.ek-solutions.ca
ServerAlias ek-solutions.ca
ServerAlias electrokinetic-solutions.com
ServerAlias www.electrokinetic-solutions.com
ServerAlias electrokinetic-solutions.com
ServerAlias eks.ca
ServerAlias www.eks.ca
ServerAlias eks.ca
Redirect permanent / https://electrokineticsolutions.com/



ServerName electrokineticsolutions.com
ServerAlias electrokineticsolutions.com
ServerAlias www.electrokineticsolutions.com
DocumentRoot /www/eks.ca

SSLEngine on
SSLProtocol all
SSLCertificateFile /www/eks.ca/ssl/electrokineticsolutions.com.crt
SSLCertificateKeyFile /www/eks.ca/ssl/electrokineticsolutions.com.key
SSLCertificateChainFile /www/eks.ca/ssl/electrokineticsolutions.com.chain


SuexecUserGroup www www



Order Deny,Allow
Deny from All




php_admin_value open_basedir /www/eks.ca:/var/log/



php_admin_value sys_temp_dir /www/eks.ca/tmp/



php_admin_value session.save_path /www/eks.ca/tmp/



php_admin_value soap.wsdl_cache_dir /www/eks.ca/tmp/



php_admin_value upload_tmp_dir /www/eks.ca/tmp



AllowOverride All
php_value session.save_path "/www/eks.ca/"









Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 7/6/2022 8:03 AM, James Smith wrote:

Never had these issues at all if you set up vhosts correctly.

But agree we tend to have 2 vhosts for the domain

  * vhost 1 is the real vhost and handle requests
  * vhost 2 contains all the redirects from other domain names to the canonical 
one

The only ServerAlias lines in vhost 1 are for development URLs which are run on 
different servers

But we also don't expose our wordpress - but use a mirroring script to serve 
the site as predominantly static {takes careful design to do this!}


-Original Message-
From: Paul Kudla (SCOM.CA Internet Services Inc.) 
Sent: 06 July 2022 11:29
To: users@httpd.apache.org
Subject: Re: [users@httpd] site compromised and httpd log analysis [EXT]


ok may or may not be related but i found i had to lock php, wordpress etc down 
heavely in apache

especially if you are using vhosts

i found one authorized site could talk to another without making things more 
strict

yes its a pain to have one vhost per site but its the only way to fully isolate 
one from the other

if someone executes stuff it stays within their working directory

example (shows http alias etc - note the directory directives - i use a database 
--> script generator so its not too inconvient.) :



ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrockconstruction.ca=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=2I8OZ_jBeUEUwIOVDyTOtp8vGvpwwAi20BxIyLEQ4d0=
Redirect permanent / 
https://urldefense.proofpoint.com/v2/url?u=https-3A__bedrockconstruction.ca_=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=ACmbZk0Pm3piuR1DATvB0hI5ScZQPHlJe7ZcD4xBOOY=



ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias

RE: [users@httpd] site compromised and httpd log analysis [EXT]

2022-07-06 Thread James Smith

Never had these issues at all if you set up vhosts correctly.

But agree we tend to have 2 vhosts for the domain

 * vhost 1 is the real vhost and handle requests
 * vhost 2 contains all the redirects from other domain names to the canonical 
one

The only ServerAlias lines in vhost 1 are for development URLs which are run on 
different servers

But we also don't expose our wordpress - but use a mirroring script to serve 
the site as predominantly static {takes careful design to do this!}


-Original Message-
From: Paul Kudla (SCOM.CA Internet Services Inc.)  
Sent: 06 July 2022 11:29
To: users@httpd.apache.org
Subject: Re: [users@httpd] site compromised and httpd log analysis [EXT]


ok may or may not be related but i found i had to lock php, wordpress etc down 
heavely in apache

especially if you are using vhosts

i found one authorized site could talk to another without making things more 
strict

yes its a pain to have one vhost per site but its the only way to fully isolate 
one from the other

if someone executes stuff it stays within their working directory

example (shows http alias etc - note the directory directives - i use a 
database --> script generator so its not too inconvient.) :



ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrockconstruction.ca=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=2I8OZ_jBeUEUwIOVDyTOtp8vGvpwwAi20BxIyLEQ4d0=
 
Redirect permanent / 
https://urldefense.proofpoint.com/v2/url?u=https-3A__bedrockconstruction.ca_=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=ACmbZk0Pm3piuR1DATvB0hI5ScZQPHlJe7ZcD4xBOOY=
 



ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrockconstruction.ca=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=2I8OZ_jBeUEUwIOVDyTOtp8vGvpwwAi20BxIyLEQ4d0=
 
DocumentRoot /www/bedrockconstruction.ca

SSLEngine on
SSLProtocol all
SSLCertificateFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
SSLCertificateKeyFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
SSLCertificateChainFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain


SuexecUserGroup www www



Order Deny,Allow
Deny from All




php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/



php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/



php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/



php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/



php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp



AllowOverride All
php_value session.save_path "/www/bedrockconstruction.ca/"















Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 

004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 7/5/2022 9:52 PM, KK CHN wrote:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__pastebin.com_YspPiWif=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=5Nna_6oH-BJdYmfSIPPUFiuLF-Zlf8cizzQZSIIHT2g=
>   
>   >
> 
> One of the websites hosted  by a customer on our Cloud infrastructure 
> was compromised, and the attackers were able to replace the home page 
> with their banner html page.
> 
> The log files output I have pasted above.
> 
> The site compromised was PHP 7 with MySQL.
> 
>  From the above log, can someone point out what exactly happened and how 
> they are able to deface the home page.
> 
> How to prevent these attacks ? What is the root cause of this 
> vulnerability  and how the attackers got access ?
> 
> Any other logs or command line outputs required to trace back kindly let 
> me know what other details  I have to produce ?
> 
> Kindly shed your expertise in dealing with these kind of attacks and 
> trace the root cause and prevention measures to block this.
> 
> Regards,
> Krish
> 
>

RE: [users@httpd] NameVirtualHost fails [EXT]

2022-07-06 Thread James Smith

Lets encrypt is reliable from our point of view - never had an issue with it - 
we occasionally have issues when renewing certs - we have about 90 of them - 
but that is mainly with the "fake-manual" process of updating DNS which is not 
100% reliable with the changes we make.

In use speed should be no different from any other cert - as long as you have 
the appropriate intermediates and your browser has the right root certs.

You can also create a cert with multiple SANs so you may only need one cert 
anyway.





-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] NameVirtualHost fails

2022-07-06 Thread Paul Kudla (SCOM.CA Internet Services Inc.)




this is how my ssl, vhosts, redirects are setup maybe this will help

note any ssl website name MUST equal a valid certificate or you will get 
a cert mismatch error !!


granted there are several cert authorities (free ssl etc) i have found 
its just easier to get a resale account (lots of providers opensrs, 
certigo, thwarte etc etc) and pay the 10.00 per cert.


cert would be ok for www.xxx.com xnd xxx.com (aka you typically only 
need one certificate per site.)


not pushing any provider, just saying letsencrypt etc does not always 
work reliabily or speed issues





ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias www.bedrockconstruction.ca
Redirect permanent / https://bedrockconstruction.ca/



ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias www.bedrockconstruction.ca
DocumentRoot /www/bedrockconstruction.ca

SSLEngine on
SSLProtocol all
SSLCertificateFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
SSLCertificateKeyFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
SSLCertificateChainFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain



SuexecUserGroup www www



Order Deny,Allow
Deny from All




php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/



php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/



php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/



php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/



php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp



AllowOverride All
php_value session.save_path "/www/bedrockconstruction.ca/"






Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 7/5/2022 5:38 PM, scom...@httpd.apache.org wrote:
I've tried several variations but basically the error message is that 
the certificate and the key for example2.com 
 don't match. I thought I had set up the 
certificate with the proper keys so something must be screwed up  with 
the certificate. I'm working on that.


Jack

On 2 Jul 2022, at 1:21, Frank Gingras > wrote:


What does the error log say, exactly? Note that TLS failures can be 
almost silent in the logs, so if a single vhost causes the startup 
error, then check the certificate.


On Fri, 1 Jul 2022 at 17:24, jnil...@jala.com 
 mailto:jnil...@jala.com>> 
wrote:


Here's an example version of my vhosts.conf file:

# http redirect

 ServerName central.com 
 ServerAlias www.example1.com 
*.example1.com 
 Redirect / https://www.example1.com/ 
 ErrorLog /var/log/apache2/example1.com
-error80_log
 CustomLog /var/log/apache2/example1.com
-access80_log combined



 ServerName example2.com 
 ServerAlias www.example2.com 
*.example2.com 
 Redirect / https://www.example2.com/ 
 ErrorLog /var/log/apache2/example2.com
-error80_log
 CustomLog /var/log/apache2/example2.com
-access80_log combined


# https version

 ServerAdmin webmas...@central.com 
 ServerName example1.com 
 ServerAlias www.example1.com 
*.example1.com 
 DocumentRoot "/home/data/hqwww/htdocs"
 SSLEngine on
 SSLProtocol all -SSLv2
 SSLCertificateFile /etc/apache2/ssl.crt/example.crt
 SSLCertificateKeyFile /etc/apache2/ssl.key/www.example1.com.key

 SSLCertificateChainFile /etc/apache2/ssl.crt/example1.ca
-bundle
 RewriteEngine On
 RewriteOptions Inherit


 
  AllowOverride None
  Options FollowSymlinks
  Require all granted
 


  AccessFileName .htaccess

 ErrorLog /var/log/apache2/example1.com
-error_log
 CustomLog /var/log/apache2/example1.com
-access_log combined


  Include /etc/apache2/conf.d/*.conf




  ServerAdmin webmas...@central.com 
  ServerName example2.com 
  ServerAlias www.example2.com 
*.example2.com 
  DocumentRoot "/home/data/jmnwww/htdocs"
  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCertificateFile /etc/apache2/ssl.crt/example2.crt
  SSLCertificateKeyFile /etc/apache2/ssl.key/www.example2.com.key

Re: [users@httpd] site compromised and httpd log analysis

2022-07-06 Thread Paul Kudla (SCOM.CA Internet Services Inc.)




ok may or may not be related but i found i had to lock php, wordpress 
etc down heavely in apache


especially if you are using vhosts

i found one authorized site could talk to another without making things 
more strict


yes its a pain to have one vhost per site but its the only way to fully 
isolate one from the other


if someone executes stuff it stays within their working directory

example (shows http alias etc - note the directory directives - i use a 
database --> script generator so its not too inconvient.) :




ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias www.bedrockconstruction.ca
Redirect permanent / https://bedrockconstruction.ca/



ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias www.bedrockconstruction.ca
DocumentRoot /www/bedrockconstruction.ca

SSLEngine on
SSLProtocol all
SSLCertificateFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
SSLCertificateKeyFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
SSLCertificateChainFile 
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain



SuexecUserGroup www www



Order Deny,Allow
Deny from All




php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/



php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/



php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/



php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/



php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp



AllowOverride All
php_value session.save_path "/www/bedrockconstruction.ca/"















Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 7/5/2022 9:52 PM, KK CHN wrote:

https://pastebin.com/YspPiWif 

One of the websites hosted  by a customer on our Cloud infrastructure 
was compromised, and the attackers were able to replace the home page 
with their banner html page.


The log files output I have pasted above.

The site compromised was PHP 7 with MySQL.

 From the above log, can someone point out what exactly happened and how 
they are able to deface the home page.


How to prevent these attacks ? What is the root cause of this 
vulnerability  and how the attackers got access ?


Any other logs or command line outputs required to trace back kindly let 
me know what other details  I have to produce ?


Kindly shed your expertise in dealing with these kind of attacks and 
trace the root cause and prevention measures to block this.


Regards,
Krish



--
This message has been scanned for viruses and
dangerous content by *MailScanner* , and is
believed to be clean.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4 and php

Re: [users@httpd] Apache 2.4 and php

Re: [users@httpd] site compromised and httpd log analysis

Re: [users@httpd] site compromised and httpd log analysis

Re: [users@httpd] site compromised and httpd log analysis

Re: [users@httpd] site compromised and httpd log analysis

Re: [users@httpd] NameVirtualHost fails

Re: [users@httpd] Apache 2.4 and php

Re: [users@httpd] site compromised and httpd log analysis [EXT]

RE: [users@httpd] site compromised and httpd log analysis [EXT]

RE: [users@httpd] NameVirtualHost fails [EXT]

Re: [users@httpd] NameVirtualHost fails

Re: [users@httpd] site compromised and httpd log analysis

13 matches

Site Navigation

Mail list logo

Footer information