Mailinglist Archive: opensuse (3337 mails)

< Previous Next >
Re: [opensuse] Massive PHP DDOS ??
  • From: Eberhard Moenkeberg <emoenke@xxxxxxx>
  • Date: Thu, 20 Apr 2006 21:47:19 +0200 (CEST)
  • Message-id: <Pine.LNX.4.61.0604202138110.27882@xxxxxxxxxxxxxx>
Hi,

On Thu, 20 Apr 2006, Marcel Mourguiart wrote:
On 4/20/06, jdd <jdd@xxxxxxxxx> wrote:
Marcel Mourguiart wrote:

Hi, i have a web server with suse 10 ( php, apache, postnuke, etc ).
My connection has been stop because MY server is making DDOS attacks

Then i read this:
http://blogs.zdnet.com/threatchaos/?p=310

Is there a patch, link or what ever you can give me to resolf the poblem ??

Sorry if this not the appropriate list, i'm just desperate.

the best way should be to update your php version with YOU,
or if this is not sufficient directly from the php site.

I'm sure this bug is already fixed.

I have every thing updated with YOU.

Carl: I'll subscribe to "suse-segurity" and i'm aware this is not a
suse specific bug or a linux one, is probably a php bug, which make
the problem just harder to resolve.

Any way if some body know the specific problem with PHP or have a
clue, i'll be happy to heart.

I am watching for "PHP invaders" with this cron job:

php-server1:1 21:39:34 ~ # cat bin/hack-detect
#!/bin/bash

export HOST=php-server1
export DATE=`date +%y%m%d.%H%M`
export B=/home/detector/bin

SF=/home/detector/find.wwwrun
M="em@xxxxxxx"
S="${HOST} hack-detect ${DATE}"
rm -f ${SF}.old ${SF}.dif
mv ${SF} ${SF}.old
echo "=== Prozesse:" >${SF}
${B}/pstree -p wwwrun | grep -v ^httpd2-prefork | sort -u >>${SF}
echo "=== Dateien:" >>${SF}
for i in /tmp /var/lib/wwwrun /var/tmp
do
${B}/find $i -type f -user wwwrun | grep -v ^/tmp/sess_ | sort >>${SF}
done
${B}/diff -U 0 ${SF}.old ${SF} | grep -v "^--- \|^+++ \|^@@ ">${SF}.dif
if [ -s ${SF}.dif ]; then
mail -s"${S}" ${M} <${SF}.dif &
fi
php-server1:1 21:39:41 ~ #

It is simply monitoring all areas which are writable by the user wwwrun
and all wwwrun processes.

The invoked binaries reside in an exclusive place, so no root kit will overwrite them.

It does in no way protect, but alarm.

Cheers -e
--
Eberhard Moenkeberg (emoenke@xxxxxxx, em@xxxxxxx)

< Previous Next >