Cross-site contamination is not the same as exploiting insecure php scripts to upload malicious content.
I will agree that isolation is a good idea, but it really has little to do with the thread at hand. On Wed, 6 Jul 2022 at 06:30, Paul Kudla (SCOM.CA Internet Services Inc.) < p...@scom.ca> wrote: > > ok may or may not be related but i found i had to lock php, wordpress > etc down heavely in apache > > especially if you are using vhosts > > i found one authorized site could talk to another without making things > more strict > > yes its a pain to have one vhost per site but its the only way to fully > isolate one from the other > > if someone executes stuff it stays within their working directory > > example (shows http alias etc - note the directory directives - i use a > database --> script generator so its not too inconvient.) : > > > <VirtualHost *:80> > ServerName bedrockconstruction.ca > ServerAlias bedrockconstruction.ca > ServerAlias www.bedrockconstruction.ca > Redirect permanent / https://bedrockconstruction.ca/ > </VirtualHost> > > <VirtualHost *:443> > ServerName bedrockconstruction.ca > ServerAlias bedrockconstruction.ca > ServerAlias www.bedrockconstruction.ca > DocumentRoot /www/bedrockconstruction.ca > > SSLEngine on > SSLProtocol all > SSLCertificateFile > /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt > SSLCertificateKeyFile > /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key > SSLCertificateChainFile > /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain > > > SuexecUserGroup www www > > <Directory "/www/bedrockconstruction.ca/wp-content/uploads/"> > <Files "*.php"> > Order Deny,Allow > Deny from All > </Files> > </Directory> > > <Directory /www/bedrockconstruction.ca> > php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/ > </Directory> > > <Directory /www/bedrockconstruction.ca> > php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/ > </Directory> > > <Directory /www/bedrockconstruction.ca> > php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/ > </Directory> > > <Directory /www/bedrockconstruction.ca> > php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/ > </Directory> > > <Directory /www/bedrockconstruction.ca> > php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp > </Directory> > > <Directory "/www/bedrockconstruction.ca"> > AllowOverride All > php_value session.save_path "/www/bedrockconstruction.ca/" > </Directory> > > </VirtualHost> > > > > > > > > > > > > > Happy Wednesday !!! > Thanks - paul > > Paul Kudla > > > Scom.ca Internet Services <http://www.scom.ca> > 004-1009 Byron Street South > Whitby, Ontario - Canada > L1N 4S3 > > Toronto 416.642.7266 > Main 1.866.411.7266 > Fax 1.888.892.7266 > Email p...@scom.ca > > On 7/5/2022 9:52 PM, KK CHN wrote: > > https://pastebin.com/YspPiWif <https://pastebin.com/YspPiWif> > > > > One of the websites hosted by a customer on our Cloud infrastructure > > was compromised, and the attackers were able to replace the home page > > with their banner html page. > > > > The log files output I have pasted above. > > > > The site compromised was PHP 7 with MySQL. > > > > From the above log, can someone point out what exactly happened and how > > they are able to deface the home page. > > > > How to prevent these attacks ? What is the root cause of this > > vulnerability and how the attackers got access ? > > > > Any other logs or command line outputs required to trace back kindly let > > me know what other details I have to produce ? > > > > Kindly shed your expertise in dealing with these kind of attacks and > > trace the root cause and prevention measures to block this. > > > > Regards, > > Krish > > > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by *MailScanner* <http://www.mailscanner.info/>, and > is > > believed to be clean. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >