y.crane@???>
To: users@???
Content-Type: multipart/alternative; boundary=f46d0444ede115ce5a04bf9bb6c6
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Wed,
09 May 2012 14:56:50 +0000
X-SA-Exim-Connect-IP: 209.85.214.176
X-SA-Exim-Mail-From: murray.crane@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spamd2.lon.bitfolk.com
X-Spam-Level:
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS shortcircuit=no
autolearn=disabled version=3.3.1
X-Spam-Report: * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
http://www.dnswl.org/, low * trust
* [209.85.214.176 listed in list.dnswl.org]
* -0.0 SPF_PASS SPF: sender matches SPF record
* 0.0 HTML_MESSAGE BODY: HTML included in message
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's * domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] PHP-CGI exploit probes seen - please make sure your
VPS is secured against this
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2012 14:56:51 -0000
--f46d0444ede115ce5a04bf9bb6c6
Content-Type: text/plain; charset=ISO-8859-1
Help sought...
I'm running latest WP on Ubuntu LTS (10.04) using PHP5-CGI and lighttpd. I
know full well that my PHP5 will be vulnerable (v5.3.2, damn you Ubuntu;
CATCH UP FOR F**KS SAKE!!!), but I don't know how to go about securing it
in lighty (if I even need to). I do know that if I point a browser at
"index.php?-s", I get the front page of my blog back (as if I had left the
"?-s" off) and not anything that would scream "VULNERABLE!!!" at me.
Kind regards
Murray Crane
On 9 May 2012 15:22, Andy Smith <andy@???> wrote:
> Hi,
>
> As you may be aware a major security problem was recently found in PHP when
> run in CGI mode. A customer has recently had their VPS compromised
> and has discovered probes for this vulnerability as described here:
>
>
> http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html
>
> So, if you are running PHP in CGI mode you absolutely must secure it
> against this.
>
> Cheers,
> Andy
>
> --
> http://bitfolk.com/ -- No-nonsense VPS hosting
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEAREDAAYFAk+qfa4ACgkQIJm2TL8VSQuJhQCcDEmoMJkMPV7agl7QQZA9D8O1
> SzgAoLYM0CtNXYLTURWslRykWONBlgxv
> =SrFn
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> announce mailing list
> announce@???
> https://lists.bitfolk.com/mailman/listinfo/announce
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
>
>
--f46d0444ede115ce5a04bf9bb6c6
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Help sought...<div><br></div><div>I'm running latest WP on Ubuntu LTS (=
10.04) using PHP5-CGI and lighttpd. I know full well that my PHP5 will be v=
ulnerable (v5.3.2, damn you Ubuntu; CATCH UP FOR F**KS SAKE!!!), but I don&=
#39;t know how to go about securing it in lighty (if I even need to). I do =
know that if I point a browser at "index.php?-s", I get the front=
page of my blog back (as if I had left the "?-s" off) and not an=
ything that would scream "VULNERABLE!!!" at me.</div>
<div><br></div><div><div>Kind regards<br><br>Murray Crane<br><br>
<br><br><div class=3D"gmail_quote">On 9 May 2012 15:22, Andy Smith <span di=
r=3D"ltr"><<a href=3D"
mailto:andy@bitfolk.com" target=3D"_blank">andy@bi=
tfolk.com</a>></span> wrote:<br><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
As you may be aware a major security problem was recently found in PHP when=
<br>
run in CGI mode. A customer has recently had their VPS compromised<br>
and has discovered probes for this vulnerability as described here:<br>
<br>
=A0 =A0<a href=3D"
http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exp=
loited-in-the-wild.html" target=3D"_blank">
http://blog.sucuri.net/2012/05/p=
hp-cgi-vulnerability-exploited-in-the-wild.html</a><br>
<br>
So, if you are running PHP in CGI mode you absolutely must secure it<br>
against this.<br>
<br>
Cheers,<br>
Andy<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
--<br>
<a href=3D"
http://bitfolk.com/" target=3D"_blank">
http://bitfolk.com/</a> -=
- No-nonsense VPS hosting<br>
</font></span><br>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.10 (GNU/Linux)<br>
<br>
iEYEAREDAAYFAk+qfa4ACgkQIJm2TL8VSQuJhQCcDEmoMJkMPV7agl7QQZA9D8O1<br>
SzgAoLYM0CtNXYLTURWslRykWONBlgxv<br>
=3DSrFn<br>
-----END PGP SIGNATURE-----<br>
<br>_______________________________________________<br>
announce mailing list<br>
<a href=3D"
mailto:announce@lists.bitfolk.com">announce@???</a=
><br>
<a href=3D"
https://lists.bitfolk.com/mailman/listinfo/announce" target=3D"_=
blank">
https://lists.bitfolk.com/mailman/listinfo/announce</a><br>
<br>_______________________________________________<br>
users mailing list<br>
<a href=3D"
mailto:users@lists.bitfolk.com">users@???</a><br>
<a href=3D"
https://lists.bitfolk.com/mailman/listinfo/users" target=3D"_bla=
nk">
https://lists.bitfolk.com/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div></div>
--f46d0444ede115ce5a04bf9bb6c6--
From alan@??? Wed May 09 15:36:19 2012
Received: from mail-wi0-f180.google.com ([209.85.212.180])
by mail.bitfolk.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16)
(Exim 4.72) (envelope-from <ala
