[Dshield] Another web server attack

ed.truitt@etee2k.net ed.truitt at etee2k.net
Thu Nov 17 14:53:09 GMT 2005


I did find out a few things -- the malicious script added Javascript or 
PHP code
to existing script files that were group/world writable, which when executed
would allow the web site to be used as an anonymizer for the purpose of
accessing warez and other such undesireable stuff on a server in Russia (which
apparently was a legit box, but had also been co-opted as a warez ditribution
point.)

The moral of this story:  don't trust file permissions on software packages --
web application code should not be writable by anyone other than the owner
(which shouldn't be the same user account that the web server process runs
under.)

Needless to say, I am going over all the application code I have, and 
tightening
file permissions to 644, with directory permissions set to 755.

Cheers,
-E D Truitt
http://www.etee2k.net

Quoting Ed Truitt <ed.truitt at etee2k.net>:

> Yesterday, the web server that hosts my site got hit - an attack 
> which used the find command to locate directories which were group or 
> world-writable, then added code to any scripts found which, among 
> other things, snagged userid/password pairs and emailed them to 
> Mother Russia.  Main targets were blogging or CMS software (I run 
> both) because they often have weak file permissions.  As/if I find 
> out more I'll post to the list.




More information about the list mailing list