security update and security precautions for your server
hi everybody, we had an attack last week. (attacker uses safe-host.info)
So, please take care of your servers too,similarly (especially if you downloaded ehcp last week, if ehcp installer with file size bigger than 10M, it may be vulnerable, you may check ehcp installer size to be sure, in your server.):
1- (now, ehcp 0.30.4 released, 0.30.5 about to release)
I released ehcp 0.29.15.3 with some security enhancement now. So, if you are using pre 0.29.15, upgrade to this. if you already use 0.29.15, just replace your classapp.php file. Upgrade your ehcp to this fix asap, especially ehcp versions smaller than 0.29.15
new version download: http://www.ehcp.net/ehcp_latest.tgz
2- you should search for backdoor shell php files. there may be such files in your directories. those files can be put on server by some faulty programs/scripts that is loaded in a site. I mean, vulnerable applications can cause your server to be hacked.
3- check/replace your ftp passwords and root pass also.
* check your ftp accounts with homedir conatining ../../ etc.
4- if you can find some logs/clues send to me.
5- I will check some other possibilities for such breakin.
6- check any "custom http templates", they may contain some config that cause the breakin.
7- run apt-get update ; apt-get upgrade in your server. this will upgrade all files. if it is required, reboot your server, so that all changes takes effect.
8- do NOT delete any open_basedir restriction on your domains.
(somebody does so) open_basedir is already enabled in ehcp, so,
secure. php shells can reach only allowed dirs, when open_basedir is
enabled. otherwise, can see whole system.
9-you may disable custom http on all domains. maybe your clients may
edit and write something nasty.
10- *** check your /etc/passwd for line with username postsmpt and shell of bash. that should not occur. if there is, delete it. (postsmtp:x:0:0::/tmp:/bin/bash)
11- if your logs are deleted regularly, check /etc/cron.hourly dirs or similar.
12- check your php and html files for content like: <iframe src='http://safe-host.info/' width=0 height=0></iframe> and remove it.
13- try to use latest, most up to date ehcp, as they are more secure. sometime, a newer beta can be more secure than a stable (older) ehcp.
* you may also have vulnerable php applications and code. so, please check your http logs for any breakin attempts, urls like ../../ etc. attackers uses some tools to find weakness.
* I have been reported that wordpress is being used by attackers. so, if you use wordpress, make sure it is up to date.
* It is advised to put in your php.ini:
* I cannot tell here all details, because most probably hacker also reads all these things, and find other ways to hide itself. so, you need to find some other ways to determine and avoid breaking into your server.
I learned now that, similar has also occured in sourceforget.net: http://sourceforge.net/blog/sourceforge-net-global-password-reset/