Author Topic: Security Issues? (Read 2154 times)

BGSWebDesign · « **on:** March 23, 2005, 08:39:52 am »

Hello,

It seems my website was compromised a few days ago. Are there any security issues I should be aware of with LMP? I removed all files that would be a problem and use a password that is secure, what other measure should I take to LOCK DOWN LMP?

Are there some modules (files) that are more prone to security issues? Which ones are they?

Any help appreciated.

toma · « **Reply #1 on:** March 23, 2005, 10:37:32 am »

If you are running an older version of php you should upgrade to the newest one--especially if running phpbb msg board. The security issue with older php's isn't listmail related.
Tom

BGSWebDesign · « **Reply #2 on:** March 23, 2005, 10:51:29 am »

Hi Tom,

Running: PHP 4.3.10, is that new enough?

DW · « **Reply #3 on:** March 23, 2005, 02:12:01 pm »

4.3.10 should be new enough to prevent the most recent PHP exploit. It is theoretically possible that you could have been compromised through ListMail as I may not have protected every single variable in the program leaving you vulnerable to SQL injection. I'm working on it. I will be double-checking everything very soon.

What was the nature of the compromise? Were the attackers able to modify your web site files? If so, I don't suspect the attack came through ListMail. It may have been a result of another member on the server, probably with shell access. The most they should be able to do through ListMail is gain access to and/or modify your ListMail data (or other data in the ListMail database).

BGSWebDesign · « **Reply #4 on:** March 23, 2005, 02:42:50 pm »

Hi DW,

Is it more secure to have the config.php and admin.php in MY WEBSITE ROOT, instead of in the LMP folder? It seems that would be better? Also protecting LMP folder with a simple index.html file?

Quote from: "DW"

I may not have protected every single variable in the program leaving you vulnerable to SQL injection.

I've never heard of that, but it would be great if you added protection for everything - hackers are getting better every day :?

Quote from: "DW"

What was the nature of the compromise? Were the attackers able to modify your web site files? It may have been a result of another member on the server, probably with shell access.

Yes, they completely replaced the files with another website! The host company has not told me who done it, or even which script was attacked yet so I don't know if it's LMP, actually I kind of doubt it, I do have other perl scripts running, but those have ran for years too, so maybe your idea of someone grabbing shell access from the server seems more likely, I've never heard of that though, and why would someone do that?
Unless they wanted to mess with my data/website and that was the easiest way in.

Quote

The most they should be able to do through ListMail is gain access to and/or modify your ListMail data (or other data in the ListMail database).

That's good to hear, also I feel pretty comfortable as I backed up the entire database just a day or so ago, so no loss on that end

Here's a tip for everyone else, consider backing up frequently AND download it to your local machine so you have a copy, and back that copy up too to another hard drive or computer, preferably off-site.

DW · « **Reply #5 on:** March 27, 2005, 06:49:44 pm »

Quote

Is it more secure to have the config.php and admin.php in MY WEBSITE ROOT, instead of in the LMP folder? It seems that would be better? Also protecting LMP folder with a simple index.html file?

No, this is not necessary. If anyone browses to or tries to "wget" the config.php or admin.php files they will see an empty page since the files only contain var and function definitions.

It is a good idea to set up an .htaccess file in your /attach folder, like so:

Code: [Select]

Order Deny,Allow
Deny from All

With an .htaccess file set up this way you don't have to worry about your files being accessible from the web when you make a backup or export. ListMail should still be able to read an send them to you. Let me know if it can't and I'll fix it. I'm going to start recommending this during installation.

Quote

Yes, they completely replaced the files with another website! The host company has not told me who done it, or even which script was attacked yet

It's difficult, if not impossible, to find out exactly what happened. It's possible your server was exploited by a worm that automatically replaced your files. The server was likely vulnerable for not keeping up with updates. (Do you know if they just upgraded PHP? If so, they have been exposed for a while. However, I do not believe this vulnerability gave full access to web sites, unless apache is run as the 'root' user, which is not recommended. I believe it simply gave a shell where a worm could use the server for DoS attacks). The attack could have come through other software, too. I can only guess as to what happened. If you were the only one on the server targeted there might be reason for concern, but if everyone experienced the same thing you should be ok now that the server is up to date (if the attacker didn't put in a back door..

Regards

BGSWebDesign · « **Reply #6 on:** March 29, 2005, 08:59:21 am »

Hi,

Quote

It's difficult, if not impossible, to find out exactly what happened. It's possible your server was exploited by a worm that automatically replaced your files. The server was likely vulnerable for not keeping up with updates

I've never heard of that but possibly an option, all data was fine, etc... just the website defaced.... the host has not been helpful at providing me an IP of the attacker, so who knows where the attack came from.

I'll include the .htaccess file from now on in the Attach folder, thanks for the tip.