shared hosting and attacks [FWD: [funsec] HostGator: cPanel Security Hole Exploited in Mass Hack]
Peter Corlett
abuse at cabal.org.uk
Sun Sep 24 09:49:47 UTC 2006
On 24 Sep 2006, at 04:00, Gadi Evron wrote:
[...]
> With thousands of sites on every server and virtual machines
> everywhere,
> all it takes is one insecure web application such as xxxBB or PHPxx
> for
> the server to be remote accessed, and for a remote connect-back
> shell to
> be installed. The rest is history.
Hence why I'm rather partial to the ROT13 of a certain such
application: cucOO.
[...]
> We all (well, never say all, every, never, ever, etc.), many of us
> face
> this. What solutions have you found?
>
> Some solutions I heard used, or utilized:
> 1. Remote scanning of web servers.
Well, I *did* at one point have a script that looked for files with
any of a list of MD5 sums and chmod them 000 if it found one.
Grepping for "Matt Wright" in Perl scripts and chmodding them is also
not a bad idea :)
> 2. Much stronger security enforcement on servers.
Actually, even bothering to use Unix user accounts rather than
running everything under the Apache uid (or sometimes nobody or
root!) would be a fine start.
> 3. "Quietly patching" user web applications without permission.
I would like to plead the Fifth at this point.
> 4. JGH - Just getting hacked.
This seems to be a popular enough technique, as long as the money
still keeps rolling in, but not one I particularly subscribe to
because the bad reputation gets round after a while.
> What have you encountered? What have you done, sorry, heard of someone
> else do, to combat this very difficult problem on your networks?
Hacked accounts aren't evenly distributed over the customer base. A
judiciously-applied account suspension or bollocking goes a long way.
More information about the NANOG
mailing list