)
(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
by mail.aus-biz.com (Postfix) with ESMTPSA id 19514FF2D3
for <users@???>; Thu, 10 May 2012 11:14:38 +1000 (EST)
Message-ID: <4FAB167B.3080703@???>
Date: Thu, 10 May 2012 11:14:35 +1000
From: Duane <duane@???>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:11.0) Gecko/20120329 Thunderbird/11.0.1
MIME-Version: 1.0
To: users@???
References: <20120509142238.GR12360@???>
In-Reply-To: <20120509142238.GR12360@???>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Thu,
10 May 2012 01:24:42 +0000
X-SA-Exim-Connect-IP: 208.82.100.153
X-SA-Exim-Mail-From: duane@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spamd0.lon.bitfolk.com
X-Spam-Level:
X-Spam-ASN: AS36252 208.82.96.0/21
X-Spam-Status: No, score=0.7 required=5.0 tests=SPF_NEUTRAL shortcircuit=no
autolearn=disabled version=3.3.1
X-Spam-Report: * 0.7 SPF_NEUTRAL SPF: sender does not match SPF record
(neutral)
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] PHP-CGI exploit probes seen - please make sure your
VPS is secured against this
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2012 01:24:45 -0000
On 05/10/12 00:22, Andy Smith wrote:
> Hi,
>
> As you may be aware a major security problem was recently found in PHP when
> run in CGI mode. A customer has recently had their VPS compromised
> and has discovered probes for this vulnerability as described here:
>
> http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html
>
> So, if you are running PHP in CGI mode you absolutely must secure it
> against this.
A friend of mine thinks php5-suhosin prevents the attack from working.
From kai.hendry@??? Thu May 10 07:40:55 2012
Received: from mail-we0-f176.google.com ([74.125.82.176])
by mail.bitfolk.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16)
(Exim 4.72) (envelope-from <kai.hendry@???>)
id 1SSNzY-0000hu-8j
for users@???; Thu, 10 May 2012 07:40:55 +0000
Received: by werc1 with SMTP id c1so942954wer.21
for <users@???>; Thu, 10 May 2012 00:40:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:sender:in-reply-to:references:date
:x-google-sender-auth:message-id:subject:from:to:cc:content-type;
bh=JS9jj23pgX6Yl1VV++ExXGbpyYxxUwPWl/0bSPx/4B8=;
b=LuDXt6q3rViVweUGf7SJSHgJO9GJANBVwiChhDVtnC467hgoU9eKJQbTZLEiRVUqmf
NS9btvEoH0xxI+U3rhOo4epvegsG627U6cQnaLkG65r5PnrqAJt3zmsXo/xnkBNvLl3W
fA5hdchYqPYb88O7mipJPue2oP7p48XwkM9HHpf27FeCdgQoUc5M2y+C82GIS48Bhw0+
UNDt6FQeyoSp+v4cRp2n76vNxeedRu65jb1GMid4aDeLlGii4HOsqnMuAuxUWOEgwmlh
smW8cw3kCikMDeMMQR/SwTEx+UriMH8yMHwneMGf40ZCCgrMISM8q/PiE6GPzixdMDiQ
9Y+g==
MIME-Version: 1.0
Received: by 10.180.78.233 with SMTP id e9mr7046898wix.5.1336635599213; Thu,
10 May 2012 00:39:59 -0700 (PDT)
Sender: kai.hendry@???
Received: by 10.223.109.78 with HTTP; Thu, 10 May 2012 00:39:59 -0700 (PDT)
In-Reply-To: <4FAB167B.3080703@???>
References: <20120509142238.GR12360@???>
<4FAB167B.3080703@???>
Date: Thu, 10 May 2012 15:39:59 +0800
X-Google-Sender-Auth: keztT0E8W-DexsbGTZjL6Fg9VYA
Message-ID: <CAF8XF0eKooFxBw5KaEqSdR97gwPmVXvfKXsK8R8O88sNPs755w@???>
From: Kai Hendry <hendry@???>
To: Duane <duane@???>
Content-Type: text/plain; charset=UTF-8
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Thu,
10 May 2012 07:40:52 +0000
X-SA-Exim-Connect-IP: 74.125.82.176
X-SA-Exim-Mail-From: kai.hendry@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spamd1.lon.bitfolk.com
X-Spam-Level:
X-Spam-ASN: AS15169 74.125.0.0/16
X-Spam-Status: No, score=-0.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
RCVD_IN_DNSWL_LOW,
SPF_PASS shortcircuit=no autolearn=disabled version=3.3.1
X-Spam-Report: * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
http://www.dnswl.org/, low * trust
* [74.125.82.176 listed in list.dnswl.org]
* -0.0 SPF_PASS SPF: sender matches SPF record
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Cc: users@???
Subject: Re: [bitfolk] PHP-CGI exploit probes seen - please make sure your
VPS is secured against this
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2012 07:40:55 -0000
On 10 May 2012 09:14, Duane <duane@???> wrote:
> A friend of mine thinks php5-suhosin prevents the attack from working.
Suhosin has been harmful other folks say.
https://pierre-schmitz.com/php-5-4-1-in-suhosin-out/
http://mailman.archlinux.org/pipermail/arch-announce/2012-May/000312.html
From duane@??? Thu May 10 08:06:34 2012
Received: from mail.aus-biz.com ([208.82.100.153])
by mail.bitfolk.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
(Exim 4.72) (envelope-from <duane@???>) id 1SSOOO-00021e-2z
for users@???; Thu, 10 May 2012 08:06:34 +0000
Received: from [192.168.2.141] (220-245-82-41.static.tpgi.com.au
[22
