Phishing - Linux boxes are vulnerable
guy at incentre.net
Fri Oct 5 19:45:25 UTC 2007
On Thu, 2007-10-04 at 15:29 -0700, alan wrote:
> On Thu, 4 Oct 2007, Ben Mohilef wrote:
> > If the cracked script runs with sufficient authority to add a web page, the
> > phishers job becomes trivial. The solution is for maintainers to make sure
> > that they can notify their customers each time a security fix is made. This
> > can be done in the script or by mandatory registration before a download.
> > Yum repositories and the equivalent for other distros should be helpful in
> > solving this problem.
> This becomes even worse when you consider hosting sites. The last one I
> dealt with had everyone on virtual servers that had no capacity to update
> the packages installed. (Yum was not installed. No patches had been
> applied. You could actually break the system because they had plesk
> installed and packages would conflict. A real mess.)
> People think that just because someone set it up for them, it is secure.
> Rarely is that the case.
> People are trying to do complex things on the cheap. You are not seeing
> it done under Windows because doing anything useful is either not cheap or
> not easy.
> Under Linux they can do what they want, but they are too cheap to hire
> someone who has clues and can do it securely.
That is a very valid issue. It takes a fair amount of time to design a
hardened web server. If I remember correctly, the last time we
developed a web server architecture for customers, it took us quite
a while to determine all the tricks required to lock web accounts into
their own storage space including locking down PHP and Perl so that they
could not 'sneak' out. Of course when a web server is locked down
tightly, you will run into problems with some PHP and Perl scripts that
break because they are written poorly or contain malicious code, so you
will need to inspect many scripts before making them executable.
More information about the users