Server security and PHP Safe mode

July 4th, 2008 by Sameer | Filed under Hosting.

Last weekend was a bit of a disaster.  One of the servers I was maintaining was hacked, big time.  How did the (not so nice word) guys do it?  Well, first of all, I learned hackers think they are doing good deeds.  They did me a favor by hacking my server and by not "deleting all the files".  They only defaced some 30 something sites and caused me lots of misery and site cleanup.  Why do I say this?  Based on the hacker’s signatory message – "Owned by nEtDeViL .. Just testing your Security .. Peace ! .. net_devil@…….com"

So Mr. hacker dude, if you really want to just "test" my security, why don’t you send me a kind email stating that you found some security holes and how to fix them?  That would be a real gem of a good deed :)

Anyway, there is always light at the end of the tunnel, good always comes from bad, if you are patient and learn from your mistakes.

Here is what I learned – TURN ON PHP SAFE MODE!  The hacker exploited some old postNuke script in the albums folder uploaded some old Russian hack script called r57shell.php .  This script allowed him to install some rootkits which basically log everything you do on the server and all sorts of crap.  Which caused me to have to get a new server, yada yada.. :(

Now the first reason they managed to achieve this, is I didn’t have php safe mode on.  I didn’t want to inconvenience my buddies on the server (ya right, dumb move.)  So even if they managed to upload it, they can’t do much with PHP safe mode on.  But with PHP safe mode off, well sorry buddy, even your own pals on the server can use this script to take over the server if you didn’t give your friends full rights to run stuff on it and they get mad at you (you know what they say…. keep your friends close and your enemies ….)

Second thing, I went all out and installed Suhosin (grown out of what was known as PHP Hardening Patch).  I don’t know how much this will help me, but at the least it didn’t break anything on the server, so I’m leaving it there for good measure.

There is also Mod_Security for Apache but that’s a bit difficult cuz it will slow down your server by checking every single request plus it will break a bunch of scripts so you will have to keep tweaking the regular expressions to get it to work nicely especially if you have tons of apps on the server.

Related reading – Forum Post: Tightening your PHP Security (just a few easy tips on how to tighten your security)

PS.. this server is running Microsoft Windows so don’t even bother trying to hack it ;) — okay don’t laugh

Related Reading:

Head First Java, 2nd EditionHead First Java, 2nd Edition
Starting Out with Java: From Control Structures through Objects (4th Edition)Starting Out with Java: From Control Structures through Objects (4th Edition)
Effective Java (2nd Edition)Effective Java (2nd Edition)

Other Interesting Posts

«
»

Leave a Reply