On Wed, Jul 6, 2022 at 9:08 AM KK CHN wrote:
> On Wed, Jul 6, 2022 at 8:33 AM Yehuda Katz wrote:
>
>> Your log doesn't start early enough. Someone uploaded a web shell (or
>> found an existing web shell) to your server, possibly using an upload for
>> that doesn't validate the input, then used t
Happy Wednesday
Ok allow me to share some experience :
about 4 years ago 1one1 hosting, myself and a bunch of others got hacked.
this is because i was using common vhosts pointing to the web directory
because www:www were the rights (no real easy way to get around that) i
had to lock php do
On Wed, Jul 6, 2022 at 8:33 AM Yehuda Katz wrote:
> Your log doesn't start early enough. Someone uploaded a web shell (or
> found an existing web shell) to your server, possibly using an upload for
> that doesn't validate the input, then used that shell to run commands on
> your server.
>
Yes, t
Cross-site contamination is not the same as exploiting insecure php scripts
to upload malicious content.
I will agree that isolation is a good idea, but it really has little to do
with the thread at hand.
On Wed, 6 Jul 2022 at 06:30, Paul Kudla (SCOM.CA Internet Services Inc.) <
p...@scom.ca> wro
ur wordpress - but use a mirroring script to serve
the site as predominantly static {takes careful design to do this!}
-Original Message-
From: Paul Kudla (SCOM.CA Internet Services Inc.)
Sent: 06 July 2022 11:29
To: users@httpd.apache.org
Subject: Re: [users@httpd] site compromised and
22 11:29
To: users@httpd.apache.org
Subject: Re: [users@httpd] site compromised and httpd log analysis [EXT]
ok may or may not be related but i found i had to lock php, wordpress etc down
heavely in apache
especially if you are using vhosts
i found one authorized site could talk to another wi
ok may or may not be related but i found i had to lock php, wordpress
etc down heavely in apache
especially if you are using vhosts
i found one authorized site could talk to another without making things
more strict
yes its a pain to have one vhost per site but its the only way to fully
Your log doesn't start early enough. Someone uploaded a web shell (or found
an existing web shell) to your server, possibly using an upload for that
doesn't validate the input, then used that shell to run commands on your
server.
I would consider your entire server to be compromised at this point s
https://pastebin.com/YspPiWif
One of the websites hosted by a customer on our Cloud infrastructure was
compromised, and the attackers were able to replace the home page with
their banner html page.
The log files output I have pasted above.
The site compromised was PHP 7 with MySQL.
>From the a
