-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Aug 09, 2006 at 12:29:14PM -0400, Drew Weaver wrote:
If they got in via SSH and all they did was deface his website they must be stand-up guys, huh? Most likely they just wrote an executable to his /tmp directory and then used apache's amazing recursion checking to execute it. This is the most common case I've seen on the dozens of cPanel 'hacks' I've encountered.
/tmp, /var/tmp and /dev/shm based compromizes do seem to account for 70%+ of the hacking on cPanel servers these days.
I blame canned script kiddies tools for that. It is simply the easiest way to go.
Usually you will have a perl script there, so even nodev,noexec won't stop that.
[]s
- -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)