[Dshield] Another web server attack
lucy at lucindrea.com
Thu Nov 17 20:52:49 GMT 2005
ya , i've been seeing alot of 404's in my server log for /blog...(several
combos of paths) , now i know what it is.
> PHP code
> to existing script files that were group/world writable, which when
> would allow the web site to be used as an anonymizer for the purpose of
> accessing warez and other such undesireable stuff on a server in Russia
> apparently was a legit box, but had also been co-opted as a warez
> The moral of this story: don't trust file permissions on software
> packages --
> web application code should not be writable by anyone other than the owner
> (which shouldn't be the same user account that the web server process runs
> Needless to say, I am going over all the application code I have, and
> file permissions to 644, with directory permissions set to 755.
> -E D Truitt
> Quoting Ed Truitt <ed.truitt at etee2k.net>:
>> Yesterday, the web server that hosts my site got hit - an attack
>> which used the find command to locate directories which were group or
>> world-writable, then added code to any scripts found which, among
>> other things, snagged userid/password pairs and emailed them to
>> Mother Russia. Main targets were blogging or CMS software (I run
>> both) because they often have weak file permissions. As/if I find
>> out more I'll post to the list.
> Using .Net? Need to know more about .Net Security?
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list