Re: [users@httpd] site compromised and httpd log analysis [EXT]
ok thats for more detail
ok redirects simply are considered insecure when it comes to ssl certs
ie apache serves the content under the alias redirect previous to going
towards the main site.
that will defanitely be the issue.
i ran into this myself (i have multiple domains redirected on one account ?)
my config for this is below maybe this helps ?
it handles all the domains and the http redirects
i believe the trick is to issue all of the redirects under http:// only
pointing to one https:// is how i got around this issue.
otherwise you would need one cert per actual domain
i dont see the harm in http:// --> https:// actual site
since apache redirects it immediately?
ServerName electrokineticsolutions.com
ServerAlias electrokineticsolutions.com
ServerAlias www.electrokineticsolutions.com
ServerAlias eksolutions.ca
ServerAlias www.eksolutions.ca
ServerAlias eksolutions.ca
ServerAlias electrokineticsolutions.ca
ServerAlias www.electrokineticsolutions.ca
ServerAlias electrokineticsolutions.ca
ServerAlias electrokinetc.ca
ServerAlias www.electrokinetc.ca
ServerAlias electrokinetc.ca
ServerAlias electro-kineticsolutions.ca
ServerAlias www.electro-kineticsolutions.ca
ServerAlias electro-kineticsolutions.ca
ServerAlias electrokinetic-solutions.ca
ServerAlias www.electrokinetic-solutions.ca
ServerAlias electrokinetic-solutions.ca
ServerAlias electro-kinetic-solutions.ca
ServerAlias www.electro-kinetic-solutions.ca
ServerAlias electro-kinetic-solutions.ca
ServerAlias ek-solutions.ca
ServerAlias www.ek-solutions.ca
ServerAlias ek-solutions.ca
ServerAlias electrokinetic-solutions.com
ServerAlias www.electrokinetic-solutions.com
ServerAlias electrokinetic-solutions.com
ServerAlias eks.ca
ServerAlias www.eks.ca
ServerAlias eks.ca
Redirect permanent / https://electrokineticsolutions.com/
ServerName electrokineticsolutions.com
ServerAlias electrokineticsolutions.com
ServerAlias www.electrokineticsolutions.com
DocumentRoot /www/eks.ca
SSLEngine on
SSLProtocol all
SSLCertificateFile /www/eks.ca/ssl/electrokineticsolutions.com.crt
SSLCertificateKeyFile /www/eks.ca/ssl/electrokineticsolutions.com.key
SSLCertificateChainFile /www/eks.ca/ssl/electrokineticsolutions.com.chain
SuexecUserGroup www www
Order Deny,Allow
Deny from All
php_admin_value open_basedir /www/eks.ca:/var/log/
php_admin_value sys_temp_dir /www/eks.ca/tmp/
php_admin_value session.save_path /www/eks.ca/tmp/
php_admin_value soap.wsdl_cache_dir /www/eks.ca/tmp/
php_admin_value upload_tmp_dir /www/eks.ca/tmp
AllowOverride All
php_value session.save_path "/www/eks.ca/"
Happy Wednesday !!!
Thanks - paul
Paul Kudla
Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3
Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca
On 7/6/2022 8:03 AM, James Smith wrote:
Never had these issues at all if you set up vhosts correctly.
But agree we tend to have 2 vhosts for the domain
* vhost 1 is the real vhost and handle requests
* vhost 2 contains all the redirects from other domain names to the canonical
one
The only ServerAlias lines in vhost 1 are for development URLs which are run on
different servers
But we also don't expose our wordpress - but use a mirroring script to serve
the site as predominantly static {takes careful design to do this!}
-Original Message-
From: Paul Kudla (SCOM.CA Internet Services Inc.)
Sent: 06 July 2022 11:29
To: users@httpd.apache.org
Subject: Re: [users@httpd] site compromised and httpd log analysis [EXT]
ok may or may not be related but i found i had to lock php, wordpress etc down
heavely in apache
especially if you are using vhosts
i found one authorized site could talk to another without making things more
strict
yes its a pain to have one vhost per site but its the only way to fully isolate
one from the other
if someone executes stuff it stays within their working directory
example (shows http alias etc - note the directory directives - i use a database
--> script generator so its not too inconvient.) :
ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrockconstruction.ca=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=2I8OZ_jBeUEUwIOVDyTOtp8vGvpwwAi20BxIyLEQ4d0=
Redirect permanent /
https://urldefense.proofpoint.com/v2/url?u=https-3A__bedrockconstruction.ca_=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=ACmbZk0Pm3piuR1DATvB0hI5ScZQPHlJe7ZcD4xBOOY=
ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrock
RE: [users@httpd] site compromised and httpd log analysis [EXT]
Never had these issues at all if you set up vhosts correctly.
But agree we tend to have 2 vhosts for the domain
* vhost 1 is the real vhost and handle requests
* vhost 2 contains all the redirects from other domain names to the canonical
one
The only ServerAlias lines in vhost 1 are for development URLs which are run on
different servers
But we also don't expose our wordpress - but use a mirroring script to serve
the site as predominantly static {takes careful design to do this!}
-Original Message-
From: Paul Kudla (SCOM.CA Internet Services Inc.)
Sent: 06 July 2022 11:29
To: users@httpd.apache.org
Subject: Re: [users@httpd] site compromised and httpd log analysis [EXT]
ok may or may not be related but i found i had to lock php, wordpress etc down
heavely in apache
especially if you are using vhosts
i found one authorized site could talk to another without making things more
strict
yes its a pain to have one vhost per site but its the only way to fully isolate
one from the other
if someone executes stuff it stays within their working directory
example (shows http alias etc - note the directory directives - i use a
database --> script generator so its not too inconvient.) :
ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrockconstruction.ca=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=2I8OZ_jBeUEUwIOVDyTOtp8vGvpwwAi20BxIyLEQ4d0=
Redirect permanent /
https://urldefense.proofpoint.com/v2/url?u=https-3A__bedrockconstruction.ca_=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=ACmbZk0Pm3piuR1DATvB0hI5ScZQPHlJe7ZcD4xBOOY=
ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrockconstruction.ca=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=2I8OZ_jBeUEUwIOVDyTOtp8vGvpwwAi20BxIyLEQ4d0=
DocumentRoot /www/bedrockconstruction.ca
SSLEngine on
SSLProtocol all
SSLCertificateFile
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
SSLCertificateKeyFile
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
SSLCertificateChainFile
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain
SuexecUserGroup www www
Order Deny,Allow
Deny from All
php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/
php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/
php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/
php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/
php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp
AllowOverride All
php_value session.save_path "/www/bedrockconstruction.ca/"
Happy Wednesday !!!
Thanks - paul
Paul Kudla
Scom.ca Internet Services
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.scom.ca=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=_KrQarPZVkZAVM2At-fFSlh8crzfvk75b0xPz4RBhv0=
>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3
Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca
On 7/5/2022 9:52 PM, KK CHN wrote:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__pastebin.com_YspPiWif=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=5Nna_6oH-BJdYmfSIPPUFiuLF-Zlf8cizzQZSIIHT2g=
>
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__pastebin.com_YspPiWif=DwIDaQ=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10=5Nna_6oH-BJdYmfSIPPUFiuLF-Zlf8cizzQZSIIHT2g=
> >
>
> One of the websites hosted by a customer on our Cloud infrastructure
> was compromised, and the attackers were able to replace the home page
> with their banner html page.
>
> The log files output I have pasted above.
>
> The site compromised was PHP 7 with MySQL.
>
> From the above log, can someone point out what exactly happened and how
> they are able to deface the home page.
>
> How to prevent these attacks ? What is the root cause of this
> vulnerability and how the attackers got access ?
>
> Any other logs or command line outputs required to trace back kindly let
> me know what other details I have to produce ?
>
> Kindly shed your expertise in dealing with these kind of at
