Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: shared hosting and attacks [FWD: [funsec] HostGator: cPanel Security Hole Exploited in Mass Hack]

  • From: Peter Corlett
  • Date: Sun Sep 24 05:52:14 2006

On 24 Sep 2006, at 04:00, Gadi Evron wrote:
With thousands of sites on every server and virtual machines everywhere,
all it takes is one insecure web application such as xxxBB or PHPxx for
the server to be remote accessed, and for a remote connect-back shell to
be installed. The rest is history.
Hence why I'm rather partial to the ROT13 of a certain such application: cucOO.

We all (well, never say all, every, never, ever, etc.), many of us face
this. What solutions have you found?

Some solutions I heard used, or utilized:
1. Remote scanning of web servers.
Well, I *did* at one point have a script that looked for files with any of a list of MD5 sums and chmod them 000 if it found one. Grepping for "Matt Wright" in Perl scripts and chmodding them is also not a bad idea :)

2. Much stronger security enforcement on servers.
Actually, even bothering to use Unix user accounts rather than running everything under the Apache uid (or sometimes nobody or root!) would be a fine start.

3. "Quietly patching" user web applications without permission.
I would like to plead the Fifth at this point.

4. JGH - Just getting hacked.
This seems to be a popular enough technique, as long as the money still keeps rolling in, but not one I particularly subscribe to because the bad reputation gets round after a while.

What have you encountered? What have you done, sorry, heard of someone
else do, to combat this very difficult problem on your networks?
Hacked accounts aren't evenly distributed over the customer base. A judiciously-applied account suspension or bollocking goes a long way.

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.