[92515] in North American Network Operators' Group
Re: shared hosting and attacks [FWD: [funsec] HostGator: cPanel Security Hole Exploited in Mass Hack]
daemon@ATHENA.MIT.EDU (Peter Corlett)
Sun Sep 24 05:50:50 2006
In-Reply-To: <Pine.LNX.4.21.0609232153440.10404-100000@linuxbox.org>
From: Peter Corlett <abuse@cabal.org.uk>
Date: Sun, 24 Sep 2006 10:49:47 +0100
To: nanog@merit.edu
X-SA-Exim-Rcpt-To: nanog@merit.edu
X-SA-Exim-Mail-From: abuse@cabal.org.uk
Errors-To: owner-nanog@merit.edu
On 24 Sep 2006, at 04:00, Gadi Evron wrote:
[...]
> With thousands of sites on every server and virtual machines
> everywhere,
> all it takes is one insecure web application such as xxxBB or PHPxx
> for
> the server to be remote accessed, and for a remote connect-back
> shell to
> be installed. The rest is history.
Hence why I'm rather partial to the ROT13 of a certain such
application: cucOO.
[...]
> We all (well, never say all, every, never, ever, etc.), many of us
> face
> this. What solutions have you found?
>
> Some solutions I heard used, or utilized:
> 1. Remote scanning of web servers.
Well, I *did* at one point have a script that looked for files with
any of a list of MD5 sums and chmod them 000 if it found one.
Grepping for "Matt Wright" in Perl scripts and chmodding them is also
not a bad idea :)
> 2. Much stronger security enforcement on servers.
Actually, even bothering to use Unix user accounts rather than
running everything under the Apache uid (or sometimes nobody or
root!) would be a fine start.
> 3. "Quietly patching" user web applications without permission.
I would like to plead the Fifth at this point.
> 4. JGH - Just getting hacked.
This seems to be a popular enough technique, as long as the money
still keeps rolling in, but not one I particularly subscribe to
because the bad reputation gets round after a while.
> What have you encountered? What have you done, sorry, heard of someone
> else do, to combat this very difficult problem on your networks?
Hacked accounts aren't evenly distributed over the customer base. A
judiciously-applied account suspension or bollocking goes a long way.
