[WEB4LIB] Hacking Linux websites

Rich Kulawiec rsk at magpage.com
Wed Jul 24 22:20:02 EDT 2002


On Tue, Jul 23, 2002 at 08:04:14AM -0700, Dan Lester wrote:
> Sharp Rise In Web Site Defacements On Linux Servers
> 
> Defacements of Linux-based Web sites this year already outnumber all
> of last year, while Microsoft IIS-based site defacements are down.
> 
> http://computerworld.com/newsletter/0%2C4902%2C72867%2C0.html?nlid=WS

Yep, this has been noticed.  Part of the reason is the growth in the
number of Linux-based web sites (mostly running Apache) and the decline
of IIS; another part is the addition of a *lot* of scripting and
programming features with the concomittant security risk; another
part is probably due to some amount of complacency in the Linux/Unix
community; and still another part is probably due to the increased
use of Linux (/Apache/PHP/Perl/MySQL/etc.) web sites by folks who
are new to the technology and haven't quite got the knack of it yet.

Two things are worth noting, though: first, the fixes to most of
the problems in the Linux/Unix world show up fast: when news of the
FreeBSD/Apache worm of a few weeks ago first started spreading, a quick
fix -- which would stop it in its tracks -- was available in under three
hours, followed by a thorough analysis and fix within 24 hours.  (This was
possible because all the affected software was open-source, thus readily
available for analysis by a large number of people.)  OTOH, there are
(the last time I saw the count) something like a dozen security issues
of a similar nature in IIS for which no fix has yet been issued.

Second, if you're going to run -- let's say -- Apache, PHP and MySQL
on Debian Linux -- then it is probably very much worth getting on the
mailing lists suffixed with "-announce" that are run by their developers.
Just about all open-source projects of any size have a mailing list;
some have several.  They're usually distinguished by suffix; for instance:

	foobar-dev -- Of interest to people developing foobar, i.e.
			hacking on the code
	foobar-users -- Of interest to people trying to use foobar
	foobar-docs -- For people trying to document foobar
	foobar-ports -- For people trying to port foobar to different
		operating systems or architectures
	foobar-questions -- The place for foobar newbies to ask questions 
		of foobar experts

and the important one:

	foobar-announce -- Announcements of new releases & critical fixes

The "-announce" lists tend to be low-traffic, announcements-only and are
well worth being on for reasons beyond security issues.  But it's those
security issues that make membership essential: these lists are the
early warning system.

There are also security-specific mailing lists (e.g. bugtraq, focus-linux,
focus-ms, focus-virus, security-announce, cert, etc.) which have overlapping
coverage of most security issues and incidents.  It's probably worth
the effort for at least one person at each site -- whatever software
you're running -- to be at least idly monitoring these for relevant
traffic.  (For instance, publication of the source code on BugTraq
for an exploit which yields control of your web server to an attacker
is an indication that you will not be going home early and that more
coffee would be a very good idea. ;-) )

Here's a short list of some of the lists I'd recommend (with the
subscription address following; some of these use majordomo, some
use mailman, some use listserv, so salt to taste):

apache-announce: announce-subscribe at apache.org
apache-httpd-announce: announce-subscribe at httpd.Apache.Org
bugtraq list: listserv at lists.securityfocus.com
cert-advisory: majordomo at cert.org 
debian-announce: debian-announce-request at lists.debian.org
focus-linux: focus-linux-subscribe at securityfocus.com
focus-ms: focus-ms-subscribe at securityfocus.com
focus-sun: focus-sun-subscribe at securityfocus.com
focus-virus: focus-virus-subscribe at securityfocus.com
freebsd-announce: majordomo at freebsd.org
freebsd-security: majordomo at freebsd.org
gnome-announce: gnome-announce-list-request at gnome.org
incidents-subscribe at securityfocus.com
mysql-announce: announce-subscribe at lists.mysql.com
netbsd-announce: majordomo at netbsd.org
netbsd-tech-security: majordomo at netbsd.org
openssl-announce: majordomo at openssl.org
php-announce: php-announce-request at lists.php.net
redhat-announce-list: redhat-announce-list-request at redhat.com
security-announce: majordomo at openbsd.org

---Rsk



More information about the Web4lib mailing list