Peaches

Hacker's fault.

borked

Just to clarify this point - securing /tmp with noexec is not simply a chmod permissions command - /tmp needs to be chmod 0777 or things'll start going whacky. You need to mount /tmp with
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

or something similar and have it constantly mounted with noexec from fstab.

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

the alchemist

lol classic... but really, the answer is in the question, whoever's "managing" the server is at fault...

__________________
264 349 400

borked

How so????
Like scannerX said - there is not a single server out there that is unhackable. The only ones which are unhackable afrom external sources re the ones unplugged from the internet.

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

DamageX

archive.org

__________________

borked

I've written a few HOWTOs over at SplitInfinity on a few "absolute musts" to securing your server....
nothing there on firewalls, since everyone has their own flavour (you are running a firewall aren't you?)


http://forums.splitinfinity.com/forumdisplay.php?f=7

Even if your server is managed, have a looksie at the HowTo's and if there something in them that isn't implemented, ask your managed provider to get it sorted.

This list is non-exhaustive and I'll be adding to the HowTo's, esp for security as and when, so check there regularly.

Any questions, post in the forum, or hit me up on ICQ.

I also do one-off hardening configs for $100 -if interested hit me up (this includes much more extensive hardening than those HowTo's, but over time, I'll be posting pretty much all the HowTo's so you can do it yourself if you're savvy enough!)

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

ladida

There's so much more then what you wrote there.
curl/fetch/wget
That's all? I can think of at least 5 more commands that would upload things, plus some 10 more ways to add it without uploading...

__________________
agentGFY *at* gmail.com

Chris

thanks for bumping this
now i am going to get 100 more icq from hosting companys wanting to sell me shit


fuck.

__________________
[email protected]

borked

lol - sorry!

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

borked

As it says - it HELPS
Adult websites are the most targetted sector. This was just a start to get a comprehensive security list together to help others.
So, hey, do us all a favour and add things to the threads I created

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

johnny o

i'm actually responsible, i'll try not to let it happen again.

__________________
http://candydreams.com
info[at]candydreams[dot]com

GrouchyAdmin

It depends to your level of management, but really, it's usually not directly applicable to the host.

For instance, if you are paying for a colocated server - most sites will install the basic OS, give you your IP list, and your root password. From there, it's all yours.

However, if you are paying for a managed host, you really need to see what their level of support is. Most 'managed' will monitor HTTP and do basic support, but not that many offer upgrades or updates beyond your initial install - some of them aren't even aware that they should update the OS, being that DirectAdmin/CPanel have the ability to update their specific Apache 1.3/PHP/etc support tools.

The closest experience to a fully managed system I've actually had was through a non-adult service, ICDSoft. They actually scanned all clients, and alerted those with phpBB2 to ensure they ran updates. It was surprising, being how cheap their services were. However, they DO NOT do adult, and I don't believe that they offer anything other than shared accounts at this time.

Sorry to hear you got hacked. It'd be interesting to know how they got in.

__________________

ladida

Um, i was more pointing to the fact that you did a "half job", and when security is the concern, that does more harm, then helps. If you're gona cover one subject, cover it completelly, don't write half of it, because i can assure you, 70% of webmasters are gona read that, do what you said and think "okay, i disabled uploads, how in the hell did he get that exploit on server", and they'll lose time searching in the wrong direction.

__________________
agentGFY *at* gmail.com

borked

rcp, lynx, links, scp, nc, elinks, proxy, vbox, lwp, GET will all be added to the HowTO in due time.

It's not a half-assed job. It's work in progress, fuckwit.
Now, if you want to help others to help themsleves, add to the thread goddammit. 99% of the peopel who have servers here wouldn't know what to do. It's not easy putting up easy-to-follow instructions. So I did the basics and will update as and when I have the time.

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

Ange

it s the scripts fault