Re: Server compromised Zen-Cart record company Exploit

2010-02-04 Thread James Smallacombe
Replying to Bogdan Webb's reply recommending sohusin: This appears to be exactly what I needed, thanks! The stock ports PHP install already has the suhosin patch, but the extension is a godsend! Not only does it log everything, but it let's you manage php functions on a per virtual host

Re: Server compromised Zen-Cart record company Exploit

2010-02-01 Thread Bogdan Webb
try php's safe_mode but it is likely to keep the hackers off, indeed they can get in and snatch some data but they would be kept out of a shell's reach... but sometimes safe_mode is not enough... try considering Suhosin but the addon not the patch... and define the suhosin.executor.func.blacklist

Re: Server compromised Zen-Cart record company Exploit

2010-02-01 Thread Fbsd1
Bogdan Webb wrote: try php's safe_mode but it is likely to keep the hackers off, indeed they can get in and snatch some data but they would be kept out of a shell's reach... but sometimes safe_mode is not enough... try considering Suhosin but the addon not the patch... and define the

Re: Server compromised Zen-Cart record company Exploit

2010-02-01 Thread James Smallacombe
(please reply-all; I am not sub'd and sorry for the top posting): I have safe_mode off due to popular demand. So many customer apps demand that it be kept off. In fact, here is a post from one of the Zen people on the Zen-cart forum. In light of this exploit, this might be a little

Re: Server compromised Zen-Cart record company Exploit

2010-02-01 Thread Bogdan Webb
Indeed it's pretty tricky with safe_mode, like for certain i know that a version of a popular r57 shell had safe_mode bypass - i was stunned to check the shell myself on my server... and i was thinking that safe_mode is enough... (+ i was using the suhoshin patch *witch in fact does nothing

Server compromised Zen-Cart record company Exploit

2010-01-31 Thread James Smallacombe
Whoever speculated that my server may have been compromised was on to something (see bottom). The good news is, it does appear to be contained to the www unpriveleged user (with no shell). The bad news is, they can still cause a lot of trouble. I found the compromised customer site and