Date: Wed, 25 Apr 2001 15:26:19 -0700 From: "Crist Clark" <crist.clark@globalstar.com> To: mudman <mudman@R181204.resnet.ucsb.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: defaced websites and the like Message-ID: <3AE74F0B.A9E714A2@globalstar.com> References: <Pine.BSF.4.30.0104251453340.9592-100000@R181204.resnet.ucsb.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
mudman wrote: > > Every now and then you pick up a copy of the newspaper or you are on-line > reading CNN.com or something and you hear about these "hackers" who broke > into yada yada's website, or did this or that to NASA or the pentagon. [snip] > Are these kind of attacks on httpd itself (Apache or otherwise) or are > said "hackers" (heh heh) breaking in through other channels or services? In the recent past (the last year or so), the vast majority of these defacements have been done by exploting vulnerabilities in M$ IIS webservers. The next biggest cause is probably vulnerable CGI programs. Some CGIs issues are associated with specific CGI packages, either example scripts left in the webroot, administrative scripts without proper controls, or just plain bad CGI security in the codes. Of course, some defacements have nothing to do with webserver holes. For example, "hackers lo-ove noodles!" (For those who are not familiar with the quote, the Ramen Worm that attacks other services on Red Hat systems also defaced the default install webpages.) > Maybe as a good follow up, would using one OS over another OS change > the risk assessment for this kind of thing? (although I admit this last > question would take into account a lot of different variables) For OSes, the key is to harden the system as appropriate. No OS, no, not even OpenBSD, can be done as a default install, have the web server turned on, and placed on the net with no additional steps. As opposed to saying "this OS is more secure than that one," most of the time, IMHO, the best approach is to decide which OS you (or your staff, your contractor, whatever) are most capable of hardening well and stick with it. That said, avoid IIS, period. But it is an application issue, not OS. As for CGI, that is pretty much a cross-platform problem. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AE74F0B.A9E714A2>