|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
[PLUG] Re: Websites Defaced, any advice?
|
On Mon, 17 Jan 2005, David Kaplowitz wrote:
> Well I noticed tonight that one of my web sites got defaced. I was
> rather chagrined as this is the first time I've been hacked after
> running public services for over 2 years.
>
> Upon closer inspection I noticed that every virtual host in my
> httpd.conf's index.html (about 8-9 sites) had been replaced by a lame index page by some
> Albanian political script kiddies. Although I've yet to find the smoking
> gun in my log files, I'm 99% positive they exploited weaknesses in my
> configuration (or lack thereof) of PHP/MySQL (and a few popular CMSes,
> TikiWiki and Wordpress). I'd noticed some problems a couple of weeks ago
> with my MySQL when I received a spam attack on my Wordpress blog, when I
> tried logging into the DB, I wasn't able to authenticate and assumed
> there was a configuration issue. Unfortunately I kept procrastinating
> looking further into it, which may have been my demise. So much for
> slacking on fixing problems.
>
> I'm running Apache 1.3.29 on OpenBSD 3.6-STABLE, (note 1.3.29 is
> OpenBSD's security patched Apache, they actually don't recommend using
> 1.3.33 from apache.org for both licensing and security reasons), PHP
> 4.3.8 and MySQL 4.0.20...all in a chroot'ed environment.
>
> I've run chkrootkit on the box and nothing comes up, none of the
> authlog/secure logs look odd. The modded index.htmls are dated with
> yesterday's date. My apache logs weren't revealing much that was readily
> apparent, but I did notice a lot of odd stuff related to what appeared
> to be scripts trying undeclared variables against the server. I've yet
> to look into it deeper. I've disable all public services on the box, and
> presently tarring up all the partitions and am going to reinstall, this
> time I'm not going to even install PHP or MySQL until I can get to the
> bottom of the exploit. I'd feel confident running a base Apache on
> OpenBSD again.
>
> Anyway, can any of you recommend any further actions to take on this
> first invasion? I'm sure I missed some things. But I'm pretty convinced
> that it's very unwise to be lazy when you're running the PHP/MySQL combo
> on a public server, esp. with some of these CMSes that are popular.
Just a thought, do you have "register_globals = On" in your php.ini??
If so that could be the reason your site got defaced. I know for previous
versions of php this kind of thing could be a problem. AFAIK, it can still
be a problem if the programmer is not careful.
Have a look here:
http://groups-beta.google.com/group/comp.lang.php/msg/c3b0666dea7d75fd
for more info.
HTH,
Tom Diehl tdiehl@rogueind.com Spamtrap address mtd123@rogueind.com
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|