securing a system
Lisa Kachold
lisakachold at obnosis.com
Wed Jun 15 12:09:29 MST 2011
Mod_security can, in and of itself, be easily DoS'd. You better know what
you are doing with your recipes.
We are just stabbing at things, until you run a Rapid 7 Nexpose Community
scan to see things like WebDAV (which are trivially pwn'd via Metasploit)
you won't know what the issues are.
You could easily rebuild it, move over the apps and have it encroached
again.
I would run the scan NOW to see what's exploitable before the rebuild.
And never exclude the possibility that the attack vector was that of
disgruntled past IT staff, encroachment from INTERNAL ssh keys or through
another hole (like a Microsoft IIS in the rack) running ftp, rdp or another
hackable service or web application.
On Wed, Jun 15, 2011 at 5:21 AM, JD Austin <jd at twingeckos.com> wrote:
> Be sure to install mod_security on Apache; it helps a lot.
> It is important to know how it got compromised so that you don't move that
> to the new system. Common methods are sql injection and using pages with
> poor input validation to run external code. I don't know how big your
> databases are but it's a good idea to dump them to text and skim through
> them for unusual text with back ticks ` , @, $, readfile, exec, etc that get
> rendered by the front end as code in poorly written pages. Also look in
> your apache logs; you will usually find it there also.
>
> Don't trust any code on your front end; install vanilla versions of them
> and re-implement any mods you've made (makes it REALLY obvious how important
> adequate documentation is). It looks like you'll really need to scrutinize
> the mason-cm code.
> Good luck.
>
> JD
> PS: http://mason-cm.itassistance.biz/index
>
>
> On Tue, Jun 14, 2011 at 22:41, Steve Phariss <sphariss at gmail.com> wrote:
>
>> I may have a job putting a compramised system back into production
>> (actually we are moving them from Ubuntu to a RHEL VM...)
>>
>> I am still lacking some details but they are running apache, Mysql AND
>> Postgres, Drupal, and something called *Mason*-*CM. I am not sure why
>> the two DBs but if there is not a good reason I will move them off of one or
>> the other.
>>
>> Anyone have any good docs on securing Apache, Drupal, the DBs, or
>> Mason-CM?
>>
>> Thanks
>>
>> Steve
>> *
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
(602) 791-8002 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
*
*Server Engineer/Security Administrator
HomeSmartInternational.com <http://www.homesmartinternational.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110615/bcd23878/attachment.html>
More information about the PLUG-discuss
mailing list