[sf-lug] Hacked RHEL4/PHP4 server
jturner at nonzerosums.org
Fri May 23 18:10:48 PDT 2008
Well, late to the party, but a couple of things...
I realize it is unclear and perhaps unknowable *how* this penetration
occurred. I have no answers for you when it comes to carefully tracing
and fingerprinting through a compromised system. I'd love to stand over
your shoulder should you ever attempt to sit down over a copy of the
When it comes to the PHP-as-hack-vector, I'd be curious to hear about
the php.ini settings on that machine. RickM already pointed to his
security page, and the PHP link does indeed list some of the more common
settings changes. http://linuxmafia.com/faq/Security/php.html
After dealing with shared hosts, I've come to appreciate running
interpreters as [fast]CGI processes, with reduced user privileges. I
may have missed whether you said apache was running as root on this
setup? In any case, whether they decide to do "the right thing -- and
completely rebuild this VPS from clean sources" or not, perhaps you can
make a few helpful suggestions to them around possible config changes.
Thanks for sharing. I believe it was also RickM that shared a link that
has info on IDS tools in it(ah -- the story about the Debian hacks!).
That's my next experimental playground...
Tom Haddon wrote:
> Hi Folks,
> I'm hoping I can marshall the resources of the LUG to help me get a
> hacked server back under control. Here's the situation...
> I used to work for a non-profit back in the early 2000's that did health
> resource information, and while working for them I wrote my first ever
> web application using PHP/PostgreSQL. It was a cancer resource guide,
> showing what resources were available to patients and families in a
> local area.
> [...interesting hack story...]
More information about the sf-lug