[BlueOnyx:12859] Re: Blueonyx Backdoor:Perl/Shellbot
Senthil Ramasamy
samy at maxi.net.au
Tue Apr 16 00:06:07 -05 2013
Thanks Michael,
We will try suPHP method.
Regards,
Samy
-----Original Message-----
From: blueonyx-bounces at mail.blueonyx.it
[mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of Michael Stauber
Sent: Tuesday, 16 April 2013 2:45 PM
To: BlueOnyx General Mailing List
Subject: [BlueOnyx:12858] Re: Blueonyx Backdoor:Perl/Shellbot
Hi Senthil,
> Today again we are seeing same files re-appear. We have removed those
> files again. But don't know how they are getting in?
>
> Has anyone seen this before and have a solution? Or point us to right
> direction?
Enable suPHP for all PHP enabled sites that have Wordpress or other doubtful
open source portals installed. (I mean no disrespect to the Wordpress
makers. But their software's success and wide spread makes it an excellent
and often exploited target).
If someone manages to trick Wordpress into downloading stuff to /tmp (or
other places) and you have suPHP installed, then the files will be owned by
the siteAdmin of the site that the Wordpress install belongs to. That makes
it pretty easy to spot which site was exploited to make this attack
possible,
Additionally suPHP throws in some extra limitations to the malice the
attackers can cause.
For more info on suPHP see this page:
http://www.blueonyx.it/index.php?page=suphp
Additionally it is a VERY good idea to reset "allow_url_fopen" and
"allow_url_include" back to the safe defaults of "No".
If these are turned on, scripts are allowed to access remotely hosted
resources - or even to include them into local code execution. Which is
generally a horrible idea.
Remote access of scripts to certain resources is necessary for some of the
Wordpress functions to work. Such as the access and download of upgrades
and/or third party modules during install. While this is generally very
accommodating, you should turn that off in cases like this and only turn it
on briefly when you need it again. If your attitude is "security first",
you'd leave both of these options set to "No" and damn the consequences.
Just saying.
--
With best regards
Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
More information about the Blueonyx
mailing list