[nycbug-talk] Searching for suspect PHP files...

Matt Juszczak matt at atopia.net
Tue Mar 3 16:57:17 EST 2009

>> Those kind of attacks are real easy to deploy by automated bots that
>> scan large number of ip's.  They are non-targeted, but could be deadly
>> as well.  Most of them just use perl(1) (run as www user) to launch a
>> remote shell and then execute some rootkit.  By disabling execution of
>> programs like perl(1) for the world, you definetly can stop those basic
>> type of attacks.  Even the simple changing of the default application
>> path can help, as most of them use a simple http://host/application/
>> scheme.

perl run as the www user... well, if its being run as the www user, not 
much they can do right?  Not with the permissions of the www user, anyway.

More information about the talk mailing list