Yes, but you don't On Wed, Jan 27, 2010 at 9:35 AM, Nilesh Govindarajan <[email protected]>wrote:
> On 01/27/2010 08:01 PM, Gerhard Killesreiter wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Adam Gregory schrieb: >> >>> This is more a server security issue rather than a Drupal one. I've seen >>> this happen with Drupal, Joomla, Wordpress and custom PHP code. It >>> really most likely means that access to the server/host was compromised >>> at some point. >>> >>> There are lost of things that can be done to prevent this like >>> chmod/own-ing your file system correctly(As Gerhard touched on). This is >>> also a good reason to use SFTP rather then FTP as passwords in SFTP are >>> sent encrypted and FTP are not leaving them open to a *man-in-the-middle >>> attack.* >>> >> >> People still using FTP in 2010 should be shot on sight. >> >> Cheers, >> Gerhard >> > > *ahem* > > Public mirrors do use them ? > > FTP is good if you can configure it properly. It can be a big bug in the > security as happened in this case if not configured properly :) Yes, but public mirrors do not require passwords. What Gerhard is talking about is uploading stuff to your site via an FTP account with a user name and password. -- Khalid M. Baheyeldin 2bits.com, Inc. http://2bits.com Drupal optimization, development, customization and consulting. Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra Simplicity is the ultimate sophistication. -- Leonardo da Vinci
