On Friday 21 December 2001 03:51, Bogdan Stancescu stuffed this into my
NEVER EVER think that because they don't know your URL they won't find
I've seen various people on security mailinglists stating I just have a new
domain I haven't published yet and I got hacked already (or even with
nimda/code red with servers on new domains that got infected within several
hours without any outsiders knowing about the domain). The thing is pretty
simple, a lot of people scan for webservers, so never assume they won't find
you. I personally use a dynamic dns at home, which sometimes doesn't update
correctly. Whatever the reason, when I need my box and the dyndns isn't
correctly pointing to my home IP I simply scan the entire ISP IP range for
webservers and look at each and every one of them until I find mine. Believe
me, I've seen shitloads of pages nobody but the computer owner knew about, or
atleast, so they think....
The point is YOU CAN AND WILL be found :-)
Virtual domains is another thing, they're pretty hard. But they'll still find
the webserver with which they only get the 1st domain if they don't know the
domain names of the others, but still, you're not safe. Security is about
securing every step you can. Hence, if your webserver or whatever was cracked
or they could get the config through some exploit or something, they'd know
the virtual domains. Since they want in and only got that and couldn't find
any other exploits they'll be looking on the other domains for insecurities
in scripts and CGI's n stuff.
Regards & happy holidays people.
> > > > True, but in a shared hosting environment this is very likely.
> > >
> > >...not to mention open source code.
> > Oh yeah. Guess I had a mental lapse there. If you are using, say, a
> > script downloaded from freshmeat.net and it happens to be poorly secured
> > then obviously the entire free world is going to know how to exploit your
> > copy of it....duh....
> Actually that's exactly what I had in mind. Heck, if your point is that
> they don't know your URL then what's the point in the whole security issue
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]