nounce@???
> https://lists.bitfolk.com/mailman/listinfo/announce
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
>
>
--e89a8f646d158d49fb04bf9cf742
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<p>I see a couple of scans in my logs from a few days ago. Am I right in th=
inking the only Debian fix available is in sid?</p>
<div class=3D"gmail_quote">On May 9, 2012 3:22 PM, "Andy Smith" &=
lt;<a href=3D"
mailto:andy@bitfolk.com">andy@???</a>> wrote:<br t=
ype=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0=
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
As you may be aware a major security problem was recently found in PHP when=
<br>
run in CGI mode. A customer has recently had their VPS compromised<br>
and has discovered probes for this vulnerability as described here:<br>
<br>
=A0 =A0<a href=3D"
http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exp=
loited-in-the-wild.html" target=3D"_blank">
http://blog.sucuri.net/2012/05/p=
hp-cgi-vulnerability-exploited-in-the-wild.html</a><br>
<br>
So, if you are running PHP in CGI mode you absolutely must secure it<br>
against this.<br>
<br>
Cheers,<br>
Andy<br>
<br>
--<br>
<a href=3D"
http://bitfolk.com/" target=3D"_blank">
http://bitfolk.com/</a> -=
- No-nonsense VPS hosting<br>
<br>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.10 (GNU/Linux)<br>
<br>
iEYEAREDAAYFAk+qfa4ACgkQIJm2TL8VSQuJhQCcDEmoMJkMPV7agl7QQZA9D8O1<br>
SzgAoLYM0CtNXYLTURWslRykWONBlgxv<br>
=3DSrFn<br>
-----END PGP SIGNATURE-----<br>
<br>_______________________________________________<br>
announce mailing list<br>
<a href=3D"
mailto:announce@lists.bitfolk.com">announce@???</a=
><br>
<a href=3D"
https://lists.bitfolk.com/mailman/listinfo/announce" target=3D"_=
blank">
https://lists.bitfolk.com/mailman/listinfo/announce</a><br>
<br>_______________________________________________<br>
users mailing list<br>
<a href=3D"
mailto:users@lists.bitfolk.com">users@???</a><br>
<a href=3D"
https://lists.bitfolk.com/mailman/listinfo/users" target=3D"_bla=
nk">
https://lists.bitfolk.com/mailman/listinfo/users</a><br>
<br></blockquote></div>
--e89a8f646d158d49fb04bf9cf742--
From andy@??? Wed May 09 17:08:42 2012
Received: from andy by mail.bitfolk.com with local (Exim 4.72)
(envelope-from <andy@???>) id 1SSANW-0006TH-CH
for users@???; Wed, 09 May 2012 17:08:42 +0000
Date: Wed, 9 May 2012 17:08:42 +0000
From: Andy Smith <andy@???>
To: users@???
Message-ID: <20120509170842.GX12360@???>
References: <20120509142238.GR12360@???>
<CAOkDyE-5g0aDiQgyBTR0LRTBc8TSQeVD+BCgFz07PH8iCwUEuQ@???>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-ripemd160;
protocol="application/pgp-signature"; boundary="cDtQGJ/EJIRf/Cpq"
Content-Disposition: inline
In-Reply-To: <CAOkDyE-5g0aDiQgyBTR0LRTBc8TSQeVD+BCgFz07PH8iCwUEuQ@???>
OpenPGP: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc
X-URL: http://strugglers.net/wiki/User:Andy
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Wed,
09 May 2012 17:08:42 +0000
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: andy@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spamd1.lon.bitfolk.com
X-Spam-Level:
X-Spam-ASN:
X-Spam-Status: No, score=-0.0 required=5.0 tests=NO_RELAYS shortcircuit=no
autolearn=disabled version=3.3.1
X-Spam-Report: * -0.0 NO_RELAYS Informational: message was not relayed via SMTP
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] PHP-CGI exploit probes seen - please make sure your
VPS is secured against this
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2012 17:08:42 -0000
--cDtQGJ/EJIRf/Cpq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello,
On Wed, May 09, 2012 at 05:26:35PM +0100, Adam Spiers wrote:
> I see a couple of scans in my logs from a few days ago. Am I right in
> thinking the only Debian fix available is in sid?
I haven't looked into it much as I don't run PHP in CGI mode
anywhere (FastCGI is OK), but it seems that this is the case.
http://security-tracker.debian.org/tracker/CVE-2012-1823
Note that there is a workaround described in
> > http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-w=
ild.html
which blocks requests that have query strings that start with '-'.
Cheers,
Andy
--=20
http://bitfolk.com/ -- No-nonsense VPS hosting
--cDtQGJ/EJIRf/Cpq
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAk+qpJoACgkQIJm2TL8VSQuiuwCfRJ1msz7nofYsbJyyzrZK0xK2
OlcAoPbvrM4pednwn3j3HmHl1wBklebu
=E6Ug
-----END PGP SIGNATURE-----
--cDtQGJ/EJIRf/Cpq--
From ian@??? Wed May 09 17:18:05 2012
Received: from semi-divine.com ([85.119.83.38] helo=topcat.semi-divine.com)
by mail.bitfolk.com with esmtp (Exim 4.72)
(envelope-from <ian@???>) id 1SSAWb-0007Kb-9U
for users@???; Wed, 09 May 2012 17:18:05 +0000
Received: from mail-pz0-f48.google.com (mail-pz0-f48.google.com
[209.85.210.48])
by topcat.semi-divine.com (Postfix) with ESMTPSA id ABC1584492
for <users@???>; Wed, 9 May 2012 17:18:02 +0000 (UTC)
Received: by dadz8 with SMTP id z8so677924dad.21
for <users@???>; Wed, 09 May 2012 10:18:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.231.170 with SMTP id th10mr395456pbc.126.1336583880917;
Wed, 09 May 2012 10:18:00 -0700 (PDT)
Received: by 10.143.42.13 with HTTP; Wed, 9 May 2012 10:18:00 -0700 (PDT)
In-Reply-To: <CAOkDyE-5g0aDiQgyBTR0LRTBc8TSQeVD+BCgFz07PH8iCwUEuQ@???>
References: <20120509142238.GR12360@???>
<CAOkDyE-5g0aDiQgyBTR0LRTBc8TSQeVD+BCgFz07PH8iCwUEuQ@???>
Date: Wed, 9 May 2012 18:18:00 +0100
Message-ID: <CAFTQQEmc6Rs1hECwKca95Vt+5ACcVtYPKpCF2gUaJfporXsKow@???>
From: Ian <ian@???>
To: users@???
Content-Type: text/plain; charset=ISO-8859-1
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Wed,
09 May 2012 17:18:05 +0000
X-SA-Exim-Connect-IP: 85.119.83.38
X-SA-Exim-Mail-From: ian@???
X-SA-Exim-Scanned: No (on mail.bitfolk.com); SAEximRunCond expanded to false
Subject: Re: [bitfolk] PHP-CGI exploit probes seen - please make sure your
VPS is secured against this
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2012 17:18:05 -0000
Adam Spiers asked:
> I see a couple of scans in my logs from a few days ago. Am I right in
> thinking the only Debian fix available is in sid?
An update for PHP in Squeeze became available in the last hour, I
presume it covers this. There are also a few more packages being
updated.
Ian
From zen57162@??? Wed May 09 18:42:53 2012
Received: from smarthost03.mail.zen.net.uk ([212.23.1.3])
by mail.bitfolk.com with esmtp (Exim 4.72)
(envelope-from <zen57162@???>) id 1SSBqd-000361-T6
for users@???; Wed, 09 May 2012 18:42:53 +0000
Received: from [82.70.125.126] (helo=benden.pern)
by smarthost03.mail.zen.net.uk with esmtp (Exim 4.72)
(envelope-from <zen57162@???>) id 1SSBqX-0001P2-Ey
for users@???; Wed, 09 May 2012 18:42:45 +0000
Date: Wed, 9 May 2012 19:42:44 +0100
From: john lewis <zen57162@???>
To: users@???
Message-ID: <20120509194244.786872ea@???>
In-Reply-To:
