Hi,
Florian Reitmeir wrote:
I had a similar encounter about 2 months ago. The intruder exploited a
PHP script that was poorly written. If you check your http access logs,
you will most likely find an entry about the PHP that is been exploited.
Once you find the offending PHP script, you can either remove it or
add an exit(0); on top of the script so that it does not accept any
input. If you are a good PHP programmer, you could fix the script so
that it validates whatever input its getting.
if PHP is the entry point, then take a look at
- libapache2-mod-suphp
- PHP SAFE-Mode
- PHP Basedir
- set 'allow_url_fopen = Off' in your php.ini
they help. Also make sure, that there is no
writeable directory for the apache user.
If you have to leave some writable folders for Apache user, say, /tmp,
moving /tmp to another partition/filesystem and mounting it with
"noexec" option would prevent most harm /any/ PHP script can cause.
A PHP script alone can do little, but along with an HTTP-uploaded ELF
binary that gets executed in the security context of Apache web server
is a lot more scary.
-HAND
--
Enver
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
