[Dshield] Another web server attack

lucy@lucindrea.com lucy at lucindrea.com
Thu Nov 17 20:52:49 GMT 2005


ya , i've been seeing alot of 404's in my server log for /blog...(several
combos of paths) , now i know what it is.

> I did find out a few things -- the malicious script added Javascript or
> PHP code
> to existing script files that were group/world writable, which when
> executed
> would allow the web site to be used as an anonymizer for the purpose of
> accessing warez and other such undesireable stuff on a server in Russia
> (which
> apparently was a legit box, but had also been co-opted as a warez
> ditribution
> point.)
>
> The moral of this story:  don't trust file permissions on software
> packages --
> web application code should not be writable by anyone other than the owner
> (which shouldn't be the same user account that the web server process runs
> under.)
>
> Needless to say, I am going over all the application code I have, and
> tightening
> file permissions to 644, with directory permissions set to 755.
>
> Cheers,
> -E D Truitt
> http://www.etee2k.net
>
> Quoting Ed Truitt <ed.truitt at etee2k.net>:
>
>> Yesterday, the web server that hosts my site got hit - an attack
>> which used the find command to locate directories which were group or
>> world-writable, then added code to any scripts found which, among
>> other things, snagged userid/password pairs and emailed them to
>> Mother Russia.  Main targets were blogging or CMS software (I run
>> both) because they often have weak file permissions.  As/if I find
>> out more I'll post to the list.
>
>
> _________________________________________
> Using .Net? Need to know more about .Net Security?
> http://isc.sans.org/banner_count.php?dest=dotnet
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>



More information about the list mailing list