Hi I experienced a defacing today on one of my sites. someone managed to get a r57 shell into my site. I have modsecurity2, php soushin, suphp, installed as security precautions. What else can I do to protect my self against remote file inclusion. I am running Debian Lenny with a perfect server setup, from here Any hints or ideas ??
A properly configured mod security should be able to ward of most of those attacks, you could also investigate running php in safe mode. The issue with security is that it is a moving target. Keep scanning your applications for security vulnerabilities to keep ahead of the attackers.
Hi Topdog You write Keep scanning your applications for security vulnerabilities to keep ahead of the attackers can you recomend a securityscanner wich i can use to find any holes in this particular script ??
Scanning is not just about using automated tools, but good examples are http://www.cirt.net/nikto2 and nessus with the commercial feed. You need to subscribe to security vulnerability lists as well, and also do your own application auditing to check applications for XSS, CSRF and other kinds of web vulnerabilities.
for application scanning you won't be that good with using nessus or nikto, eventhough they can help you as a start. it's like doing app pentests, where you have either the choice of doing some kind of black box testing, with automated support (e.g. with acunetix or similar, acunetix for at least detecting xss and crawling is free, you could combine this with other free tools like burp that can help to find more, when letting acunetix crawl through the page) and manual test versus (manual / automated) code review. for php software you could try "rips". I did not use it yet, but the description sounded pretty interesting. Sqlmap for e.g. is interesting for checking sql injections... you will find more tools when googling around for the above, owasp or webappsec (and their mailinglist archives) are a good ressourcepool as well.
