Re: shared hosting and attacks [FWD: [funsec] HostGator: cPanel Security Hole Exploited in Mass Hack]

[Peter Corlett <abuse () cabal org uk>]

On 24 Sep 2006, at 04:00, Gadi Evron wrote:
[...]
> With thousands of sites on every server and virtual machines  
> everywhere,
> all it takes is one insecure web application such as xxxBB or PHPxx  
> for
> the server to be remote accessed, and for a remote connect-back  
> shell to
> be installed. The rest is history.

Hence why I'm rather partial to the ROT13 of a certain such  
application: cucOO.

[...]
> We all (well, never say all, every, never, ever, etc.), many of us  
> face
> this. What solutions have you found?
>
> Some solutions I heard used, or utilized:
> 1. Remote scanning of web servers.

Well, I *did* at one point have a script that looked for files with  
any of a list of MD5 sums and chmod them 000 if it found one.  
Grepping for "Matt Wright" in Perl scripts and chmodding them is also  
not a bad idea :)

> 2. Much stronger security enforcement on servers.

Actually, even bothering to use Unix user accounts rather than  
running everything under the Apache uid (or sometimes nobody or  
root!) would be a fine start.

> 3. "Quietly patching" user web applications without permission.

I would like to plead the Fifth at this point.

> 4. JGH - Just getting hacked.

This seems to be a popular enough technique, as long as the money  
still keeps rolling in, but not one I particularly subscribe to  
because the bad reputation gets round after a while.

> What have you encountered? What have you done, sorry, heard of someone
> else do, to combat this very difficult problem on your networks?

Hacked accounts aren't evenly distributed over the customer base. A  
judiciously-applied account suspension or bollocking goes a long way.