I guess I should actually declare linuxguy the winner he was the one that
suggested PHP might be using its privileges to obtain the info and he was
right.

The root of the problem.

Our web site is built in such a way that the only page you ever call up is
the index.php.

It is broken up into 5 sections.  A header, menu, column, body, & footer.

If you go to our site it defaults to the main menu, column, & body.

If you click on a link the link passes along the variables to call up the
correct menu, column & body.

Example:
http://www.heritageweb.org/index.php?menu=menusecondary.php&column=columnsec
ondary.php&body=bodysecondary.php

The variables are the names of the sections of code.

Section of old code:

<?php
         $column = $_GET['column'];
         if ($column == NULL)
         {
                include("columnhome.php");
         }
         else
         {
                include("$column");
         }
?>

Section of new code:

<?php
        $column = $_GET['column'];
        if (strpos($column, "/") === false)
        {
                 if ($column == NULL)
                 {
                          include("columnhome.php");
                 }
                 else
                 {
                           include("$column");
                 }
         }
         else
         {
                  die("Invalid Request");
         }
?>

To be honest I thought it was a great way to process an entire site through
one main page.  It made consistent formatting a breeze.  My thoughts were to
eventually move each menu, column, and body section into a MySQL database
and then build a front-end that would allow individuals at the school edit
their own body sections that they are responsible for.

I do hope this helps anyone that is doing something similar avoid my
headaches.

Doug



-----Original Message-----
From: tclug-list-bounces at mn-linux.org
[mailto:tclug-list-bounces at mn-linux.org]On Behalf Of Pastor Doug Coats
Sent: Thursday, March 04, 2004 8:55 AM
To: TCLUG Mailing List
Subject: [TCLUG] Attack


I am running Fedora Core1 and had an interesting attack show up in my logs.

Someone tried to ssh running through the entire list of users.

My question is how did they get that list of valid users?  There is no
evidence of simply trying random users - they knew every user.

Is there something in Linux that would return a request for every user name?

Is there something I should have turned off so that cannot happen again?

I blocked their IP address in IPTables but they can find a way around that.
And I would like to block anyone from trying something similar.

Any suggestions would be greatly appreciated.

Thanks All,

Doug


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list