L
Limedrink
Guest
Many sites today have been defaced with:
hacked by fast_vagrant
It seems like the sites affected are those with index.php, index.html, or config.php files that are chmoded 777.
I have followed MANY steps in securing my server, from total SSH lock-down to chmoding binarys and securing the /tmp folder. Additionally, I am running mod_security in Apache and the latest version of Plesk with all of the updates.
I will edit this post later to include many more details regarding the security of the server itself.
I checked the /tmp dir, and the only thing that's not supposed to be there is a file called 'user.log' which was created around the time the deface-ments occurred. It is owned by user and group apache.
The file contains 1 line:
13:48:30 11/18/06 test1 [info] Authenticated : ,
Can anyone tell me how this happened? I'm thinking there may be others where they've been hacked the exact same way and may know some more information as to what happened.
Rkhunter reports nothing. I know the server has NOT been compromised. I feel like a script has been run that goes after files with those names that have insecure permissions.
If anyone has any information, please let me know.
Regards,
Limedrink.
hacked by fast_vagrant
It seems like the sites affected are those with index.php, index.html, or config.php files that are chmoded 777.
I have followed MANY steps in securing my server, from total SSH lock-down to chmoding binarys and securing the /tmp folder. Additionally, I am running mod_security in Apache and the latest version of Plesk with all of the updates.
I will edit this post later to include many more details regarding the security of the server itself.
I checked the /tmp dir, and the only thing that's not supposed to be there is a file called 'user.log' which was created around the time the deface-ments occurred. It is owned by user and group apache.
The file contains 1 line:
13:48:30 11/18/06 test1 [info] Authenticated : ,
Can anyone tell me how this happened? I'm thinking there may be others where they've been hacked the exact same way and may know some more information as to what happened.
Rkhunter reports nothing. I know the server has NOT been compromised. I feel like a script has been run that goes after files with those names that have insecure permissions.
If anyone has any information, please let me know.
Regards,
Limedrink.