[nycphp-talk] Issues with server getting hacked
Chris Snyder
chsnyder at gmail.com
Fri Sep 11 15:26:37 EDT 2009
On Fri, Sep 11, 2009 at 3:16 PM, Randal Rust <randalrust at gmail.com> wrote:
> On Fri, Sep 11, 2009 at 3:11 PM, Chris Snyder <chsnyder at gmail.com> wrote:
>
>> They tar'd up the data from where? It might help you to know what
>> directory it was uploaded to.
>
> Yeah, they seem to be short on that detail, even though I posed the question.
>
>> But really, the problem could be anywhere in the system.
>
> I am fairly certain which domain it was. It's the one with an old
> version of CakePHP that we inherited.
>
Heh. You mean the version you can't upgrade because it would break everything?
Maybe it's time to see if you can put a Web Application Firewall in
front of the box or install mod_security or something along those
lines.
The answer to your original question (pinpointing the upload) is to
grep through the Apache logs for suspicious POSTs. Sounds like a lot
of fun if you don't have any idea when it happened.
More information about the talk
mailing list