On Thu, Jun 22, 2006 at 12:53:09PM -0400, Matthew T. O'Connor wrote: > Is this a know problem? Have others seen it? What can I do to help > prevent this? > > Thanks, > > Matt Yes, it's a problem with non secure php configuration and vulnerable php scripts. Some suggestions: (Already mentioned) Keep php scripts up to date! This is paramount (Already mentioned) mount /tmp on loop with noexec (Already mentioned) php.ini: allow_url_fopen = off (Already mentioned) Learn how to use mod_security effectively (Already mentioned) Block outbound tcp/80 with iptables/etc (Already mentioned) SELinux can provide more fine grain control over - "who" can do "what" (Already mentioned) Use UNIX permissions to restrict access to - wget/curl/ncftp/lynx/etc Additional: php.ini: disable_functions = system,exec,passthru,shell_exec,pcntl_exec Lots of times I find something in httpd's crontab to re-infect /tmp so use cron.deny: echo apache/httpd/www/etc >> /etc/cron.deny I also block outbound access to tcp/6666-6669 (irc) and tcp/6881-6889 (bittorrent) as well as non-essential outbound udp (essential: dns, ntp) to "contain" any damage caused by malware. It is still possible to circumvent noexec. mod_security will only protect you from disclosed vulnerabilities. Security is a trade off with convenience. So you must evaluate your options. Shared web hosts tend to require convenience, while dedicated needs lean more towards security. Become familiar with the scripts you are running, their requirements, their security track record, and any alternatives if they exist. - Mike