On 24 Sep 2006, at 04:00, Gadi Evron wrote: [...]
With thousands of sites on every server and virtual machines everywhere, all it takes is one insecure web application such as xxxBB or PHPxx for the server to be remote accessed, and for a remote connect-back shell to be installed. The rest is history.
Hence why I'm rather partial to the ROT13 of a certain such application: cucOO. [...]
We all (well, never say all, every, never, ever, etc.), many of us face this. What solutions have you found?
Some solutions I heard used, or utilized: 1. Remote scanning of web servers.
Well, I *did* at one point have a script that looked for files with any of a list of MD5 sums and chmod them 000 if it found one. Grepping for "Matt Wright" in Perl scripts and chmodding them is also not a bad idea :)
2. Much stronger security enforcement on servers.
Actually, even bothering to use Unix user accounts rather than running everything under the Apache uid (or sometimes nobody or root!) would be a fine start.
3. "Quietly patching" user web applications without permission.
I would like to plead the Fifth at this point.
4. JGH - Just getting hacked.
This seems to be a popular enough technique, as long as the money still keeps rolling in, but not one I particularly subscribe to because the bad reputation gets round after a while.
What have you encountered? What have you done, sorry, heard of someone else do, to combat this very difficult problem on your networks?
Hacked accounts aren't evenly distributed over the customer base. A judiciously-applied account suspension or bollocking goes a long way.