How safe is your site?

Status
Not open for further replies.


If your not running your own box, but going through a host and the host is a good host, I wonder how secure one is? I know shit about half the crap that goes on server side, should I be worried or should I feel secure knowing that my host has that side covered?
 
I just read through the comments for that post - should've done that before posting here - and it appears that the server side script it was displaying is something public already. So, if you have PHP on your site, it parses it to HTML before Google gets hold of it. I guess server side scripting can't be read after all, unless you royally fuck something up, like have it echo your entire php file to text...

lerchmo - can you add to this?
 
SEO_Mike said:
I just read through the comments for that post - should've done that before posting here - and it appears that the server side script it was displaying is something public already. So, if you have PHP on your site, it parses it to HTML before Google gets hold of it. I guess server side scripting can't be read after all, unless you royally fuck something up, like have it echo your entire php file to text...

lerchmo - can you add to this?
Click to expand...

When you request a PHP page on a server the server executes PHP to process the page and the output of that process is sent to the browser. If something is misconfigured or PHP is not installed then the PHP code will not be processed and just the plain file will be sent as content.
That's why it's always a good idea to put a file with configuration above your web root and just include it into the PHP file that is accessible by the web. Because you never know, things could get screwed up during a server upgrade or soemthing and send your PHP file as plain text.
 
jerxs said:
If your not running your own box, but going through a host and the host is a good host, I wonder how secure one is? I know shit about half the crap that goes on server side, should I be worried or should I feel secure knowing that my host has that side covered?
Click to expand...

You can tell if your host has their shit together by looking at whether they have locked their box down or not. I can usually tell by uploading a file that has phpinfo() in it to spill out all the details of the way that Apache and PHP are set up. It will also tell you what other modules are installed in Apache (like mod_security and other fun stuff). However no matter what you do, if you upload a script that has a vulnerability in it then there really isn't anything you can do about it except remove the bad script. I have my own box and I do use it to host other peoples web sites. Someone uploaded a bad script to my server and I had a tough time figuring which account was the culprit while battling a script kiddie for a couple of days while he was deploying bots on my server. I finally found him and kicked him out and killed the bots for good. All that crap happened because a customer uploaded a vulnerable script. The box wasn't pwned, only the account. Still it was more than I cared to have happen on my server. So no matter what you do to try and make sure that your box is secure, a determined hacker will get in. It's not a matter of if, its a matter of when. Just look at Shoemoney's post on his blog and see that even people as good as he will leave the door open somewhere.

Zen
 
zenglider said:
So no matter what you do to try and make sure that your box is secure, a determined hacker will get in. It's not a matter of if, its a matter of when. Just look at Shoemoney's post on his blog and see that even people as good as he will leave the door open somewhere.

Zen
Click to expand...

I totally agree. Some of the people that commented on that post at shoemoney's site seem pretty arrogant. Like he was an idiot for letting that happen. The truth is it can happened to anyone as long as they're human. People make mistakes and in some cases its not even their mistake that created the hole. When you become arrogant about it I think you actually make yourself more vulneralbe.

Something else that should be pointed out is file permissions.
I think on most virtual hosts 644 for file permissions and 755 for public directories is ok. In shoemoneys case his web files were probably at least set to 666 allowing a script that was being run with the webserver's user permissions to overwrite them.
 
I tried to make my first site the other day, but I guess I left it too unsecure. By midnight the same day, it had been hacked and defaced by a Turkish hacker.
 
Newbie said:
I tried to make my first site the other day, but I guess I left it too unsecure. By midnight the same day, it had been hacked and defaced by a Turkish hacker.
Click to expand...

If your php includes are named .inc there is a possibility that they could be displayed as code. If you name them .php they would be processed before being sent to the browser. As SSHit<head> said it is always best to have includes above your document root anyway.
 
If you see most of those files index by google are inside tar.gz archives. If php executes php as it should, that source is not visible.
 
Status
Not open for further replies.
Top Bottom
Back