SLUG Mailing List Archives
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
- To: Mary Gardiner <mary@xxxxxxxxxxxx>, slug@xxxxxxxxxxx
- Subject: Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
- From: Rick Welykochy <rick@xxxxxxxxxxxxx>
- Date: Mon, 02 Jun 2008 14:42:22 +1000
- User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:22.214.171.124) Gecko/20071128 SeaMonkey/1.1.7
Mary Gardiner wrote:
I suspect attacks through web apps like WordPress are pretty common
causes of comprise of machines run by essentially knowledgable people at
the moment, because there doesn't seem yet to be a good set of best
practices for packaging and updating them (upstream tends to aims their
instructions at people who might not even have shell access, let alone
root access, and there's the whole plugin universe too).
Out of curiosity, I often query the server used in the links provided in
phishing scam emails.
More often than not, the phishing box is a compromised Linux server
running Apache and PHP. Rarely do I see a Windows server :(
I would tend to blame an out-of-date PHP install rather than Apache
as being the attack vector. If you are on AusCert or DebSec, you
will know how many exploits are disovered in PHP 4 and 5. And they
keep finding more. I did do a PHP install and was amazed at the
server info p[ag. There are a myriad of hacks and "fixes" in PHP, as reflected
in the PHP system variables, to turn off all sorts of insecure features.
I got the feeling that out of the box and with little technical knowledge,
PHP is not a healthy addition to any Linux server.
Not wishing to start an OS war, but I rarely if ever have seen a BSD
or Sun box compromised. Is this due to sheer numbers of Linux and Doze?
Rick Welykochy || Praxis Services || Internet Driving Instructor
The user's going to pick dancing pigs over security every time.
-- Bruce Schneier