Well, my primary box was cracked by a dipshit going after the recent awstats.pl bug.
It’s the same thing that hit Russell the other day.
The bare bones stuff (blog/comments/inbound email) is working on my secondary box. But a lot more needs to be fixed.
Yeay for me having reasonably good backups!
Boo for the asshole who did it.
More later, but I need to sleep. It’s 3.5 hours past when I planned to go to bed.
Comment from readers …
Oooooh! It was Awstats! S.O.B! Thanks Jeremy, that clears my mind tremendously.
Sorry you got hacked as well… what a pain in the ass.
I’ve noticed that most web-based exploits work by executing commands that download, compile, and run files in /tmp. My question is why /tmp allows execution by default of most Unix distributions? I run FreeBSD on my servers, and have the noexec flag in /etc/fstab for the /tmp partition. While you shouldn’t only rely on this, it does seem to resist most if not all of the PHP/Perl/web-based exploits in the recent past long enough to give me an opportunity to upgrade or fix whatever is causing the problem. When the recent phpBB exploit was announced, I noticed several attempts in my /tmp of people downloading source code or pre-compiled binaries, but none were successful.
The only time this has caused a problem for me is when I need to do a make world in FreeBSD. This is easily resolved by remounting /tmp without the noexec flag for the period during which I’m upgrading the system.
It’s obvious to me that they’re going after Yahoo employees now. First Russ, now you. Yahoo.com is clearly the end goal, yep, clear as mud.
The reason they get the screenshot so quick is because the defacers report the crack straight away:
Visit Jeremy’s blog: Jeremy Zawodny’s blog.