Navigation

aceyzeriat · #11 1st January 2008, 16:32

Hello Falko,

I also found some exploits installed in the backups of the web sites but not in the main web sites !
Seems that my exclusion rules are not properly set up

When I make a safe copy of the web sites I host I usually just make a brutal "cp" in a "backup" directory, seems that apache has access to that sub directory (I thought only document root was accessible).

ideas ?
regards,
Arnaud

falko · #12 1st January 2008, 21:55

Do you use vulnerable web applications? Do you use PHP Safe Mode?

aceyzeriat · #13 2nd January 2008, 08:00

I host a lot of joomla web sites which don't support PHP_SafeMode. The difficulty for a joomla web site is to find an hosting server with the SafeMode turned off.

Now I believe I will reconsider those web sites and encourage the use of Drupal as CMS instead.

regards,
Arnaud

till · #14 2nd January 2008, 11:48

Quote:

I host a lot of joomla web sites which don't support PHP_SafeMode. The difficulty for a joomla web site is to find an hosting server with the SafeMode turned off.

I know this problem, its common with joomla. I had a joomla site on one of the servers that I maintained, the owner of the site did not install all joomla patches immediately when they get released. The website got hacked serveral times and only a strict php setup with safemode on prevented that the hackers were able to break out of the website directory. The last time it was a r57shell too if I remember correctly.

aceyzeriat · #15 4th January 2008, 05:46

Hello Till,

Do you mean he actually succeeded to make his joomla site operate with phpsafemode turned on ?

I have a question concerning perl scripts ...

The server has been used to run perl scripts sending phishing mail
Since none of my sites actually use perl script I brutaly uninstalled mode_perl ... and still attacks have restarted using perl scripts !!

I looked at http://perl.apache.org/docs/2.0/user/config/config.html

To enable mod_perl built as DSO add to httpd.conf:
LoadModule perl_module modules/mod_perl.so
This setting specifies the location of the mod_perl module relative to the ServerRoot setting, therefore you should put it somewhere after ServerRoot is specified.
If mod_perl has been statically linked it's automatically enabled.

How do I know if it has been statically linked ?
Anyway, removing mod_perl from the machine should have prevented the use of perl scripts, no ?

regards,
Arnaud

till · #16 4th January 2008, 11:24

Quote:

Do you mean he actually succeeded to make his joomla site operate with phpsafemode turned on ?

Partially. But this guy did use joomla only for edit the text on some pages.

Quote:

How do I know if it has been statically linked ?

I dont think that its statically linked in one of the common linux distributions.

Quote:

Anyway, removing mod_perl from the machine should have prevented the use of perl scripts, no ?

Do you have cgi support enabled for the website? Additionally, if php is run without safemode, it can be used to start a perl script even if mod_perl is not loaded.

Ovidiu · #17 10th May 2009, 15:06

I just had a similar rkhunter report:

Quote:

Warning: The command '/sbin/chkconfig' has been replaced by a script:
/sbin/chkconfig: a /usr/bin/perl script text executable

this hapened while I was still setting up the serevr, I remember, I couldn't find chkconfig, had to look for the package containing it and install it. would rkhunter --propupd remove this warning? I am sure that was me who caused that warning...