>I noticed in the logs once where people were trying to get in by FTP on
>occasion, or adding weird things to a url, when it was running just as
>an IP.
...like e.g. Code Red or Nimda do.
>My question is: does my Apache server broadcast itself or its IP
>for when script kiddies come check out my machine to see if they can
>crash it? What does it broadcast? How did the script kiddies find me?
No need to broadcast anything. Crackers run systematic scanning of
IP-addresses. We reject in average 65 visitors pr. day, typically trying
FTP, Samba, SSH or portmap.
>Can I reverse process this and see if my stolen machine still exists
>anywhere? What would I look for?
But... is it physically stolen? Sorry - I'd have no suggestion of how to
look for it, unless of course you have set it up to send mail to somebody
and can check the IP-address it is sending from if it is SMTP. Or you
search for one of your pages in Google and find them served! Not likely,
though.
- - -
Sorry for your bad luck. Hacking is a serious problem, also I have lost a
server once.
I have taken these precautions, which I think are pretty standard.
1. Make sure no more services are running than needed. Carefully edit
start-up files - don't trust the suppliers default installation. (That was
my mistake - RH 6.2) Enable only things you know you need.
2. Restrict (pr. IP) who has access. It is unlikely that all the world need
access to all your services. Do you e.g. need global access to your mysql
or is it just serving requests from Apache? If so start mysql with
--skip-networking. Look into hosts.allow and firewalls (ipchains or ipfw
depending on what server OS you are using). Look well into
inetd/hosts.allow. Also SSH will limit access.
3. Subscribe to security newsletters. Install fixes and patches.
4. Look into COPS and other tools that checks suspicious changes (like e.g.
new files running suid)
5. User proper passwords
6. Always connect securely
7. Be very careful who you let in as user. Do they need FTP only? Then
don't allow them shell-access.
8. Don't ever let anyone in as root, even for a second, if you do not have
100% trust.
9. Monitor logs
10. You may still get cracked. Make regular backups in a safe place.
All this costs, of course. Lots of time. :-( But having lost one server
makes you realize that taking out the time is probably the cheapest after all.
Then say your prayers every night and of course the good old golden rule:
Don't trust software you didn't write
Don't trust hardware you didn't build
Don't trust people you aren't.
Best
Frank
At 21:47 10/3/2002 -0500, you wrote:
>Not really a php thing, more a loss of php :) !
>
>My PHP-MySQL server has been stolen from my office (last night).
>Security has not been doing their job!
>
>I noticed in the logs once where people were trying to get in by FTP on
>occasion, or adding weird things to a url, when it was running just as
>an IP. My question is: does my Apache server broadcast itself or its IP
>for when script kiddies come check out my machine to see if they can
>crash it? What does it broadcast? How did the script kiddies find me?
>Can I reverse process this and see if my stolen machine still exists
>anywhere? What would I look for?
>
>I have a ghost backup going back around four week ago, but ...
>
>Sigh :(
>John
>
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
