On Sun, Mar 25, 2012 at 4:07 PM, Daniel Convissor < dani...@analysisandsolutions.com> wrote:
> 'd love to hear the thoughts of > the people here on it from a code level and user interface level. > > http://wordpress.org/extend/plugins/login-security-solution/ > > Dan, I haven't tried it yet but from reading about the features, OMG! It's great. I will install it. > > > egrep -lr '<\?php.+eval\(base64_decode\("[^"]+"\)\);\?>' *| xargs > > I'd have just grep'ed for "eval", since that should never be in any code > I want to use. Your regex would miss code that doesn't have double > quotes, doesn't use base64_decode, has spacing in it, etc. > Yeah, I assembled the regex based specifically on the malicious code that I was looking at in all my files. I suppose the trick is to fashion a regex that catches an actual eval call inside php tags -- there's always a chance that the string "eval" is is somehow legitimately contained inside some php tags. > Oh, and lock down your file permissions. The web server shouldn't be > allowed to write to any files or directories. > > Except when it really needs to, like for writing data to a file-based cache, or accepting file uploads. How do you recommend handling those cases? I have been wondering, why not chmod ALL your php files to 400? Indeed I did this with one site after my infection, but not the several others. Then I got hit again, but the site whose php files were 400 was not affected -- probably not a coincidence. It's perhaps a bit of an inconvenience when you need to update/overwrite, but I see no reason we can't relax permissions temporarily for code deployments and reset them back when we're done. -- David Mintz http://davidmintz.org/ It ain't over: http://www.healthcare-now.org/
_______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show-participation
