Re: we were attacked

To: Steve Kemp <skx@debian.org>, debian-isp@lists.debian.org
Subject: Re: we were attacked
From: Michael Loftis <mloftis@modwest.com>
Date: Fri, 07 Apr 2006 18:31:50 -0600
Message-id: <[🔎] EAFE91510962797FDEEE3E9D@dhcp-2-206.wgops.com>
In-reply-to: <[🔎] 20060407215722.GA27589@steve.org.uk>
References: <[🔎] 44367C04.6030609@tau.org.ar> <[🔎] 4436DEE7.5070507@emenaker.com> <[🔎] 20060407215722.GA27589@steve.org.uk>



--On April 7, 2006 10:57:22 PM +0100 Steve Kemp <skx@debian.org> wrote:

  That is an appalling approach to dealing with the problem, especially
 if you have an old kernel which could allow privilege escalation.

  There are several approaches to actually tracking down the source
 of the problem.  The most obvious is to use the mod_security
 module for Apache to log incoming payloads and ban requests containing
 strings such as 'wget', 'r0nin', '/tmp', etc.

  Another approach would be to install 'snoopy', or similar, to log
 *every* executed script upon a host and then walk backwards from the
 initial intrusion to the execution of the script.

Another one is ti use mod_security from modsecurity.org. This helpsprevent stupid customers from getting your insecure system infected.Better still to use suphp or suexec so things don't run as www-data and runas their own users.


Steve
--




--
Michael Loftis
Modwest Operations Manager
Powerful, Affordable Web Hosting

Reply to:

Follow-Ups:
- Re: we were attacked
  - From: "Roberto C. Sanchez" <roberto@familiasanchez.net>

References:
- we were attacked
  - From: danilo lujambio <danilo@tau.org.ar>
- Re: we were attacked
  - From: Joe Emenaker <joe@emenaker.com>
- Re: we were attacked
  - From: Steve Kemp <skx@debian.org>

Prev by Date: Re: we were attacked
Next by Date: Re: we were attacked
Previous by thread: Re: we were attacked
Next by thread: Re: we were attacked
Index(es):
- Date
- Thread