In fact these phpBB exploit are done by BOTS not human. So as long as you’ll have a phpBB not uptodate you will have these exploits. The bots stop when the exploit is not possible. So install the last secure version of phpBB.
If you couldn’t install the last version of phpBB (for example because your client don’t do it) be sure to secure your box :
The simple way is to chmod wget to 700
You might also use mod_security with a rule like this one
The best is to have a /tmp partition with noexec,nosuid in /etc/fstab
But even if your box is secure (so the exploit is not done) uou’ll continue to receive these attacks because BOTS check that phpBB is exploitable.
[B]If you can’t upgrade to the last secure release of phpBB u might also suspend the account. In this case the documentroot is
Well it is well explained i nthe thread you mention.
Generaly these issues come from BOTS that use phpBB or phpNuke exploit. (the most use is phpBB and the viewtopic and highlight)
I’ll install mod_security if you won’t already done.
Also there is 2 scripts of the VERY good rf-x website that you mgiht use :
NSIV (network socket inode validation) and LSM (linuwx socket monitor)
See here http://www.r-fx.org/nsiv.php
We have both and if a php script have a security issue which enable the use of a listen 80 or 443 then NSIV alert us.
In fact, now we have less and less alerts, as we secured our /tmp and wget (+ mod_security)
So my advises is to first try to find which pid is using your 443 port by following the Chris and Paul avises in the thread you mentionned and then try to secure you box :
The best is to secure /tmp (create a /tmp partition with noexec, nosuid)
Secure wget . chmod it to 700
Install mod_security and install rules that stop know security issues of major scripts like phpBB, phpNuke, … (on a share webhosting you can’t control that all your clients always install the last secure release of their scripts. And i’m pretty sure they’ll really apreciate you alert them there is a security issue in their scripts and you ask them to upgrade to the last release)
Install these Great r-fx tools
Hope this help
pascal
ps : Interworx integrate 2 existing r-fx scripts : sim 2.5 (the autorestart feature, you might also tweack conf.sim to add sshd, qmail-smtp and tynidns (djbdns)) and apf (not the last release but it is grreat) so do not install them
About /tmp it’s depending if /tmp is a partition or a directory. If it is a directory you have to change it as a partition
To change wget to 700 do, from root, via ssh :
which wget
it should return something like
/usr/bin/wget
then do
chmod 700 /the/path/of/wget (generaly /usr/bin/wget)
To change your directory tmp to a mountable partition there is few ways, but if you are not familiar with this, I do not think it’s a good option. Maybe ask to a sys admin.
You might have a look here http://www.eth0.us/tmp but BE CAREFFUL you DO THAT AT YOUR OWN RISK
then do
chmod 700 /the/path/of/wget (generaly /usr/bin/wget)
I know on the NEXCESS.NET side of things that they chmod 750 a bunch of scripts (ftp, wget, lynx, links, curl) and setup a group for each binary (i.e. a wget, curl, lynx etc group) and then for each user who needs access to a given binary they are added to that group. They go as far as chmod’ing perl, php, python, ruby etc 750 as well. Given the massive amount of bots looking for holes it saves many a headache for the admin.
I know on the NEXCESS.NET side of things that they chmod 750 a bunch of scripts (ftp, wget, lynx, links, curl) and setup a group for each binary (i.e. a wget, curl, lynx etc group) and then for each user who needs access to a given binary they are added to that group. They go as far as chmod’ing perl, php, python, ruby etc 750 as well. Given the massive amount of bots looking for holes it saves many a headache for the admin.
You mean you add the user to that group ? right ?
Because on an interworx box we can’t change the group of files owned by a siteworx account. I think the quota use the group set on files and not the user.
I tell this because if we set the main group of user TOTO, for example to ALLOW or whatever, then all the files created for this user would take a default TOTO.ALLOW owner ? right ? and in this case the quota should not work.
If I understand well you mean you do something like
when runing nsiv -so, i get the output bellow … is this normal?
Thanks
NSIV version 0.3 <nsiv@r-fx.org>
Copyright (C) 2004, R-fx Networks <proj@r-fx.org>
Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
{chk.httpd} /usr/sbin/httpd inode verified on port 80
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
{chk.httpd_ssl} /usr/sbin/httpd inode verified on port 443
{chk.named} bin value is null, skipping.
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
error encountered in rule /usr/local/nsiv/rules/ocwhttpd
{chk.proftpd} flagged for skip or module does not apply to system, skipping.
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
error encountered in rule /usr/local/nsiv/rules/sendmail
{chk.sshd} flagged for skip or module does not apply to system, skipping.
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
About the “Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ” it is because the script does a ps -axu for example rahter than a ps axu (without the - ) but it is safe and not block it, it’s just an information message !