We've found this guy has been probing us for several days, from IP address from the Phillipines, Brazil, France, Texas, and who knows where else. Looks like he has a whole network of hiding places. The URL of the site would contain strings like http://index.php?body=mrnelson.php. This made it pretty obvoius that this was being used to include further text. I believe the same problem was found in PHPNuke, so it's not that original (sorry, Doug). PHP isn't evil, but it sure makes it a lot easier to shoot off your own foot. Kent Schumacher said: > > > strayf at freeshell.org wrote: >> On Sat, Mar 06, 2004 at 12:03:16AM -0600, Matthew S. Hallacy wrote: >> >>>On Fri, Mar 05, 2004 at 10:46:09PM -0600, Wayne Johnson wrote: >>> >>> >>>>We all learn something everyday... Especially with Linux. >>> >>>I hope one of the lessons learned is that PHP is evil. >> >> >> I think the lesson is more that anything which is both easy and >> powerful is also dangerous. PHP isn't evil, you just have to keep your >> eyes open. >> >> -Steve > > If I'm understanding what happened correctly, Pastor Doug Coats made a > PHP programming error, which resulted in a *unique* security hole on his > system. > > Someone, possibly from the Phillipines, then discovered this hole and > used it to grab the passwd file. > > My question is, how was the hole detected? How long was the hole open > before it was discovered? Is there something that made detecting the > hole easy or ??? > > Is cracker detection coverage of the web really as complete as this > incident seems to imply? > > Kent > > > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > http://www.mn-linux.org tclug-list at mn-linux.org > https://mailman.real-time.com/mailman/listinfo/tclug-list _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list