Just because it's too much fun to not pass along, and a useful cautionary
tale. Fortunately, the person this happened to has a sense of humor about
it...A friend of mine was working on his home web site. It was a bunch of stuff, back-ended by mySQL. He was, for instance, installing a search engine (using htDig) for the content, but it wasn't cooperating and he was trying to figure out why. Suddenly, the site goes dark. He can't log into it. He starts snooping, he can't get into MySQL. Uh, oh. (oh. No backups, either). The entire site implodes. He finally gives up, goes into the web logs to see what happens, thinking he got hacked. Well, not quite. One of the tools he installed was phpMyAdmin to administer the MySQL stuff. He installed it behind a .htaccess file like you're supposed to. But what he didn't realize was the .htaccess file wasn't working right, letting anything in. What got in was -- htDig, the search engine. Which happily follows all links, including, if you let it spider phpMyAdmin, the "delete this database" links. Including the database holding all of the MySQL configuration and account info. Which causes MySQL to die. Which... You get the picture. His search engine got into his database and deleted all of his data, because while it wasn't working, it COULD spider. And it got into an area it shouldn't have gotten into, even though it wasn't linked on the web site. How's that, you ask? How did HtDIG find it? Well -- one of the other things he'd added was log processing. Including referer tracking. And one of the links the logs showed was a referer link back to the phpMyAdmin pages. So by spidering the web log data, HtDIG found a link into phpMyAdmin, which was supposed to be password protected but wasn't, which let htDig become a DBA, which let HtDIG delete all of the data... When you build systems, do you think through the side effects of what you're doing? What are you missing? (and would you have ever figured out why this happened to you? I wonder if I would have.... ) Happy hacking... But be careful out there. -- Chuq Von Rospach, Architech [EMAIL PROTECTED] -- http://www.chuqui.com/ The Cliff's Notes Cliff's Notes on Hamlet: And they all died happily ever after _______________________________________________ Mailman-Developers mailing list [EMAIL PROTECTED] http://mail.python.org/mailman-21/listinfo/mailman-developers
