Has my fedora 18 installation been hacked?

Reindl Harald h.reindl at thelounge.net
Fri Mar 15 12:30:43 UTC 2013 


Am 15.03.2013 12:16, schrieb Georgios Petasis:
> I suspect that it is a joomla 1.5.26 exploit. I have found two php files in the tmp folder of one web site,
> and POSTs to them in the apache access log file.
> I know this is an old version of joomla

this is the main problem

what your machine does / did is attack 3rd parties and this is
the most common what happens after intrusion and without your ISP
having open yes you would still not know that it happened

and this is the reason why my reaction on malinglists to
posts starzign with "i installed Fedora 14" is pure anger
because it is unacceptable and i was there on the other side
of a DDOS-Attack from many thousand ip's for nights and can
tell anybody that it is no fun try to hold the business alive
in such situations - you can be sure ALL of this thousands
attackers where hijacked servers / clients with whatever OS

> and I have made the mistake to make the folders tmp, cache & log
> writtable by the apache in selinux...)

the writeable is not the problem, how should they work readonly
but make them accessable AND executeable from the web is a big
mistake for several reasons:

* log: you do not want access to logfiles from outside
* cache: you do not want get applications cache readed from outside
* tmp: you do not want get temp-fiels of the application readed from outside

for any folder:
you do not want to get executed code from outside which can be injected
this affects also the log-file, i have seen attacks where php-code
was in the requests and someone found a small injection leak and
used the log file to prepare his whole script and execute it
with the injection leak
_________________________________________

i generally protect any log/temp/cache AND all folders where from
users uploaded files (miages, pdf...) are stored with disable
the php-engine and fro tmp/log deny access at all

"IfVersion" needs "mod_version.so" loaded and is used here
to prepare a smooth upgrade to Apache 2.4 after mod_security
acts correct with "mod_remoteip" behind a proxy

[harry at srv-rhsoft:~]$ cat /www/www.rhsoft.net/temp/.htaccess
<IfModule mod_php5.c>
 php_flag engine off
</IfModule>
<IfModule mod_php6.c>
 php_flag engine off
</IfModule>
<IfVersion < 2.4>
 Order deny,allow
 Deny from all
</IfVersion>
<IfVersion >= 2.4>
 Require all denied
</IfVersion>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130315/29c9c614/attachment.sig>

More information about the users mailing list