Results 21 to 23 of 23
Code:
[Sat Mar 19 15:17:10 2011] [warn] NameVirtualHost 86.120.148.140:80 has no VirtualHosts
That means, that there are no VirtualHosts defined for "86.120.148.140:80"
Probably your VirtualHosts look like this "*:80" or ...
- 03-19-2011 #21Linux Guru
- Join Date
- May 2009
- Location
- Munich
- Posts
- 2,100
That means, that there are no VirtualHosts defined for "86.120.148.140:80"Code:[Sat Mar 19 15:17:10 2011] [warn] NameVirtualHost 86.120.148.140:80 has no VirtualHosts
Probably your VirtualHosts look like this "*:80" or this "86.120.148.140", hence the warning.
As for the logs:
Again, logs are defined in the configfiles.
These can be in /etc, /etc/httpd /etc/apache
If you cant find them:
Another way of finding them is to look at the files, that are held open by apache and mysql:Code:updatedb locate my.cnf locate httpd.conf locate apache.conf
Code:lsof |egrep '(apache|http|mysql)' |grep log
P.S.:
Glad your sites are up again, but it might be good to have the following actionitems:
- investigate, if there was an intrusion
- if yes, how was it done? Then establish countermeasures.
- consider reinstalling the sites on a new machine
- documentation: what was installed and how?
- create a backup systemLast edited by Irithori; 03-19-2011 at 02:20 PM.
You must always face the curtain with a bow.
- 03-20-2011 #22Just Joined!
- Join Date
- Mar 2011
- Posts
- 11
Thank you for all your help, I hope it only was the TMP folder, is there any way of securing the TMP not to execute from tmp ? I have disabled 777 on the TMP folder, preventing it from executing files from it but there is a big problem, all other legit operations of uploading and renaming images for example are not going to happen anymore because there is no permission to write, so is there a way to secure it but with permission 777 on it.P.S.:
Glad your sites are up again, but it might be good to have the following actionitems:
- investigate, if there was an intrusion
- if yes, how was it done? Then establish countermeasures.
- consider reinstalling the sites on a new machine
- documentation: what was installed and how?
- create a backup system
- 03-20-2011 #23Linux Guru
- Join Date
- May 2009
- Location
- Munich
- Posts
- 2,100
Well, if that tmp dir is a partition, you can mount it with nodev and noexec.
Then you can use specific tmpdirs per application via application config and/or php.ini/php_admin_value.Code:man mount
This is a first step to separate applications, that run on one apache instance.
A further one might be open_basedir.
But all those measures help little, if the application itself allows (in the worst case) arbitrary command execution.
So first priority is to get the apps secure, especially the internet facing ones.
You say, files were copied to and executed from tmp.
So:
- What was exploited? ssh, apache,php, your apps, etc?
- how were those files put there?
- how were those files executed?
One more political point:
Try to get people involved.
Security is not the sole problem of the OPS team.
Devs can only work on projects, that have been given priority and ressources by management.
And at least in my place, management needs a reminder from time to time,
that investment in structure and security/performance remediation projects pays off in the end
So, investigate what was the problem, work on solutions and present them.
It might need some persistence, as such ideas dont generate revenue and have no obvious effect.
But a cracked server costs:
- time and ressources to rebuild
- reputation with your clients/users.You must always face the curtain with a bow.
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts