Comments on: Apache.org defaced – Security archive case study

By: Anonymous

Anonymous — Tue, 09 Mar 2010 12:27:43 +0000

In May 2000, how many PHP shells existed? In March 2010, I believe that number is a bit higher.

By: http://sucuri.net

http://sucuri.net — Mon, 08 Mar 2010 06:16:53 +0000

Joachim: I agree, it doesn't have to be root, but any user other then the apache one.

As far as a php shell, they can be useful yes, but that doesn't take from the fact that you should have a deny all policy. If you see what they did in the text, they opened two different ports in LISTEN mode to do what they wanted.

Plus, if you have a restricted php configuration, even a php shell can be hard to pull it off.

By: Joachim Schipper

Joachim Schipper — Mon, 08 Mar 2010 06:12:02 +0000

Actually, there are plenty of ways to control a computer over port 80 – search for "php shell". One could also argue that updating the web site shouldn't need root.