Hacker out to get us?
I heard several SEO sites was on a hacker hitlist (referrer logs come in handy sometimes). Some have already been hacked. And NO, I’m not going to make him more famous by linking.
I did an emergency upgrade, since I heard Wordpress already had fixed the hole he used.
January 17th, 2007 at 1:08 pm
Interesting coincidence. Just few hours ago my partner asked me why main page of our website contains no info except “#” character in the upper left corner. I’ve checked the root directory of the server and found there extra “index.html” file which contained just one “#” character. Our main index.php file remained unchanged so i just have deleted the “index.html” and problem disappeared. However, there was also “public_html/xvcsi” folder with pretty funky content.
What it could be?
January 17th, 2007 at 1:12 pm
Actually, the hacker I was talking about had woved to take out some of the main SEO sites. I’m flattered he included me, though I don’t consider this a SEO site. Anti-SEO, maybe. But yours is in another field entirely, and not on his list.
But there are plenty of hackers to go around anyway…
January 18th, 2007 at 1:19 am
People of the world who are running PHP installations, I beg you to:
-Turn on safe mode
-Turn on magic quotes
-Turn OFF register_globals
-Turn OFF remote file inclusions
While the first three may not be easily applicable because they may break so called “mission critical” application (although I ask you, can an application be considered mission critical if it doesn’t take even basic steps to secure itself?), the last one is very, very rarely used (and I don’t know why it was added in the first place, beside from the fact that “we are cool, we can do this”) and you can turn it off, thus preventing at least 50% of the attacks / exploits, while loosing less than 0.001% of your functionality.
A bonus tip: 2 and 3 (magic quotes and register globals) can be turned off and on on a per directory basis, so a security conscious approach would be to turn them on / off globally and revert the changes only in directories where you have those “mission critical” applications.
January 18th, 2007 at 6:13 pm
@cd-man: Except register_globals (which was OFF since PHP 4.2), none of this seriously helps security IMO.
The introduction of magic_quotes was a backwards non-solution and just left amateur programmers largely uneducated instead of fixing anything. You shouldn’t seriously use any script that relies on it or still uses mysql_query()-wrappers instead of prepared SQL statements. And safe_mode is just the idiot providers attempt to simulate sane chroot/suexec installations.
But of course, the biggest problem here is, that people still use PHP software just for their popularity. With the security track record of Wordpress or phpBB all magic securing workarounds like the above are void. To be fair, the latest exploits are mostly the Zend/PHP.net developers fault however.
January 19th, 2007 at 12:06 pm
@mario: I disagree. A quick look at milw0rm revealed the fact that around 50% of the vulnerabilities in Wordpress are are remote file inclusions. So disabling that functionality (which again I fail to see why it was included in the first place) reduces the chance of you being exploited by 50%!
Also, you can excuse yourself by saying that you don’t always have a choice in what software / script you use, but there is no excuse for not taking every reasonable step to secure it. And no, ignorance is not an excuse!
As for not using prepared statements: much to my surprise the mysql driver from Pear::DB doesn’t use them! You have to manually specify the mysqli driver for it. Why can’t it autodetect it? The DBI package for Perl does **real** prepared statements for more than 14 years now! Imagine my surprise when I was working on a new project and started using Pear::DB (which should be a mature database abstraction layer!) and discovered that it was using the “just put in the string in place of the ? mark” without even quoting it! This reflects very badly IMHO on the security mentality of the PHP people.
February 2nd, 2007 at 5:24 pm
just one word. why should a hacker who is out for the big ones care about your blog? ha?
February 7th, 2007 at 7:30 am
I just spent half an hour writing a comment and it doesnt post ?