On Friday 21 December 2001 03:51, Bogdan Stancescu stuffed this into my 

NEVER EVER think that because they don't know your URL they won't find 
I've seen various people on security mailinglists stating I just have a new 
domain I haven't published yet and I got hacked already (or even with 
nimda/code red with servers on new domains that got infected within several 
hours without any outsiders knowing about the domain). The thing is pretty 
simple, a lot of people scan for webservers, so never assume they won't find 
you. I personally use a dynamic dns at home, which sometimes doesn't update 
correctly. Whatever the reason, when I need my box and the dyndns isn't 
correctly pointing to my home IP I simply scan the entire ISP IP range for 
webservers and look at each and every one of them until I find mine. Believe 
me, I've seen shitloads of pages nobody but the computer owner knew about, or 
atleast, so they think....
The point is YOU CAN AND WILL be found :-)
Virtual domains is another thing, they're pretty hard. But they'll still find 
the webserver with which they only get the 1st domain if they don't know the 
domain names of the others, but still, you're not safe. Security is about 
securing every step you can. Hence, if your webserver or whatever was cracked 
or they could get the config through some exploit or something, they'd know 
the virtual domains. Since they want in and only got that and couldn't find 
any other exploits they'll be looking on the other domains for insecurities 
in scripts and CGI's n stuff.

Regards & happy holidays people.

> > > > True, but in a shared hosting environment this is very likely.
> > >
> > >...not to mention open source code.
> >
> > Oh yeah.  Guess I had a mental lapse there.  If you are using, say, a
> > script downloaded from freshmeat.net and it happens to be poorly secured
> > then obviously the entire free world is going to know how to exploit your
> > copy of it....duh....
> Actually that's exactly what I had in mind. Heck, if your point is that
> they don't know your URL then what's the point in the whole security issue
> anyways?

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to