[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Hackers are coming through PHP/PHPnuke

Subject: RE: [cobalt-users] Hackers are coming through PHP/PHPnuke
From: "Michele Neylon :: Blacknight Solutions" <michele@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Sat Dec 6 07:58:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Older versions of PHP Nuke may have cross-scripting vulnerabilities. Check
out bugtraq etc

Mr. Michele Neylon
Blacknight Internet Solutions Ltd
http://www.blacknightsolutions.ie/
http://www.search.ie/
Tel. + 353 (0)59 9139897
Lowest price domains in Ireland

> -----Original Message-----
> From: cobalt-users-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Ligard, Vidar
> Sent: 05 December 2003 17:56
> To: cobalt-users@xxxxxxxxxxxxxxx
> Subject: RE: [cobalt-users] Hackers are coming through PHP/PHPnuke
>
>
> >            Our one of the Cobalt raq4r server where the sites
> > are maximux developed with  php/phpnuke, are being hacked
> > again and again. We recently re-install the OS and everything
> >  from the scratch. But again this hackers hacked few sites
> > yesterday...
> >
> >            They are entering as *httpd* user.  Can anyone
> > suggest what are the patches we need to put for
> > phpnuke/php.... These hackers seem they are entering through
> > this two culprits only and changing the index.html/.htm/.php
> > files and puttting their one line code in this file which is
> > showing that they have
> > hacked the site.. Out php version is *PHP 4.3.4*   and
> > phpnuke 6.5 but
> > few sites are 6.9
> >
> There are basically three ways I can think of that they could be
> coming in.
>
> 1. If there is any service/applications not patched up, like an
> older version of apache installed, etc.
>
> 2. You can be all patched up, and it still possible to leave
> holes open in your applications. If you have any cgi, asp, php or
> any other server-side scripts enabled, these may introduce
> vulnerabilities if they are not written correctly. Scripts
> _especially_ vulnerable are those that allow you to upload
> anything to the server.
>
> 3. Compromised passwords. If you are using ftp to change your
> sites, passwords and usernames are being transmitted in the open
> across the internet. If you know they are coming in as httpd,
> this is likely not the source - although it is a possible they
> are changing the owner of the files to httpd to make you think
> they came in as httpd. I would definitely change your password(s)
> to eliminate this one.
>
>
> I would look at the timestamps of all the files that are changed,
> or try to find out when the compromise happened. Then go through
> log files and see if you can find anything suspicious around the
> time of compromise.
>
> Hopefully this gives you some ideas of where to look.
> Vidar
>
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>

References:
- RE: [cobalt-users] Hackers are coming through PHP/PHPnuke
  - From: Ligard, Vidar

Prev by Date: [cobalt-users] XTR to 550 OS, Now crash crash crash
Next by Date: Re: [cobalt-users] Site Quotas
Previous by thread: RE: [cobalt-users] Hackers are coming through PHP/PHPnuke
Next by thread: [cobalt-users] Site Quotas

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index