RE: Server hacked?

-----Original Message-----
From: ubuntu-users-bounces@xxxxxxxxxxxxxxxx
[mailto:ubuntu-users-bounces@xxxxxxxxxxxxxxxx] On Behalf Of Res
Sent: Wednesday, 2 January 2008 2:43
To: Ubuntu user technical support,not for general discussions
Subject: RE: Server hacked?


On Wed, 2 Jan 2008, Joris Dobbelsteen wrote:

contained to a very limited set of my system. The processes
are of the
user www-data. So it seems a web site has been hacked instead. (Count

Your more important priority is to locate how they got in,
else fixing the system is pointless.

Do you run php, if so what type of programs? Gallery? phpnuke?

The exploit was found. System runs PHP with Joomla.
It seems there is an exploit here.

At least there are some lessons in this:
* Use one-user-per-website only (easier auditing).

Good idea...

Dirs should be 710 for htdocs root
eg: chmod 710 /var/www/vhosts
chmod 710 /var/www/vhosts/example.com
chmod 710 /var/www/vhosts/example.net

Ensure the users who own those domains are the only ones with
access, except group must be web server.
eg: chown -R jack.apache /var/www/vhosts/example.com
chown -R jill.apache /var/www/vhosts/example.net


Use suexec in every virtualhost block in Apache
eg: SuexecUserGroup jack apache

I'm still failing to see how this provides security and what the
implications are. I'm also a bit puzzled how suexec affects file
accesses (those without scripts). I did use CGI and not the webserver
loadable PHP library but didn't get suexec to work to my liking.

and lock down php... eg:
open_basedir =/var/www:/tmp:/usr/local/lib/php

disable_functions = exec, shell_exec, system, virtual,
show_source, readfile, passthru, escapeshellcmd, popen, pclose, phpinfo

Doesn't this break a lot of application? From what I know, at least
Gallery2 does execute shell commands...

Sincerely,

- Joris


--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Relevant Pages

  • php stub
    ... I am in love with Suexec. ... secure (i.e. by not running scripts in 777 directories, ... So then I looked at suexec with php, which pretty much breaks embedded php ... This would be similar to the way safe mode presently operates (as in, ...
    (php.general)
  • php and suexec on debian
    ... I'm trying tu use php in cgi mode with suexec. ... so I could specify whichever path I want for docroot and userdir. ...
    (Debian-User)
  • Re: phpBB Worm
    ... perl script on Unix as well as on Windows other than the first line ... suexec mechanism in order to run each customer within his own user's space. ... The downside of using suexec is that PHP as a CGI doesn't offer a small ...
    (Bugtraq)
  • Suexec/SafeMode Hybrid [repost]
    ... I am in love with Suexec. ... secure (i.e. by not running scripts in 777 directories, ... So then I looked at suexec with php, which pretty much breaks embedded php ... This would be similar to the way safe mode presently operates (as in, ...
    (php.general)
  • Re: Secured hosting on a shared server--impossible?
    ... After struggling for months with suexec, ... > the suPHP module (which acts as a wrapper, ... that won't be readable even in case Apache gets ... > suPHP uses the CGI php binary. ...
    (comp.lang.php)