httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Billy Nab" <b...@centurims.com>
Subject RE: [users@httpd] Security scanners.
Date Thu, 27 Apr 2006 19:39:34 GMT
Well, as far as scanners, sure they exist.  I can show a log of a
personal server that gets hit about 100 in under a minute by a script or
program scanning for vulnerabilities in PHP, Apache, ASP, IIS all of it.

They try to find web pages or scripts that are exploitable, which give
them access to the machine - after that they can ftp in, if that is
open, telnet, if that is open (and should not be at all) or otherwise
change your content because they have access to the system.

It may not even necessarily be an Apache issue, but probably an insecure
script, like PHP-NUKE or something that you or one of the users of a
virtual site had installed.  That would be the place to look, what
scripts were installed on the virtual servers?

BN

-----Original Message-----
From: Georgy Goshin [mailto:gosha@inbox.ee] 
Sent: Thursday, April 27, 2006 12:31 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Security scanners.

There is about 50 virtual servers, I can't reinstall now, need to find
the 
hole.
The changed file has apache.apache ownership, so I think that the hole
in 
web server of php.


G.



----- Original Message ----- 
From: "Sean Conner" <sean@conman.org>
To: <users@httpd.apache.org>
Sent: Thursday, April 27, 2006 8:24 PM
Subject: Re: [users@httpd] Security scanners.


> It was thus said that the Great Georgy Goshin once stated:
>>
>> Hello,
>>
>> A few of virtual hosts on my server was hacked - the content was
replaced
>> and I can't figure how they did it. Is there any software that will
scan 
>> the
>> web server and checks for known security holes?
>
>  I don't know of any software [2] that will do what you ask, but
having 
> been
> the recipient of several hacks [1] your server may not have been 
> compromised
> through the webserver---*any* other service running could have been
the
> vector through which you were compromised (DNS, SQL, SMTP, etc.).  Or
it
> could have been an inside job (the login information to update one of
your
> sites was compromised).
>
>  Until you figure out how they got in, you have two choices:
>
> 1. Turn off any services you don't need (you should do this anyway),
>    change all passwords and disable all CGI scripts until they've
>    been vetted clean.
>
> 2. Nuke and pave.  Reinstall the server from scratch (I only
>    recommend this if you have no clue how to proceed or are truely
>    paranoid) with the latest version you have on CD, then patch
>    patch patch until *all* the software is to the latest version.
>    You'll still want to turn off any services you don't need (or
>    understand) after the install, change the passwords and disable
>    any CGI scripts until they've been vetted.
>
>  -spc (Been there, done that, don't even have a lousy tee shirt ... )
>
> [1] The worst so far being this one:
>
> http://boston.conman.org/2004/09/13.1
> http://boston.conman.org/2004/09/14.1
> http://boston.conman.org/2004/09/19.1
>
> There have been others though:
>
> http://boston.conman.org/2005/10/05.2
>
> [2] Actually, I do know of some, but they're the software programs
that
> are currently trying to break in through an insecure webserver or
> CGI scripts.  You can check your web logfiles and see plenty of
> those happening.  If any of those requests are 200, then there's a
> hole.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message