From: Adam 

Randall Parker wrote:

> George reports on stories he hears about web sites getting taken over
> due to poor security in the logic of the web pages and in the technology
> the web pages are written in. "rooting" means getting root access to a
> server. It's a term from Unix land.
>
>
>
> It's just the rent a server folks don't care about security, they care
> about
> having check marks in all the checkboxes on the list of available features
> so that everyone will go to them because they offer all the features the
> people who don't know security always want.
>
> Look at PHP, it's insecure not because of the server setup but because of
> the actual code written in PHP. Security on a web server that's running php
> is up to the guys writing the web pages not the admin.
>
> So now that you know this, how can any hosting company offer PHP and still
> call their machines secure? I mean it's a joke right?
>




Hummm almost any server which allows you to upload your own executable code
can also not claim that.

"By uploading your own code you thus render inoperative any warranty
thus offered wrt secure hosting"......

Attach a string pipe to an executable &......


> Ok now look at any other web server extensions that offer real power stuff,
> like cold fusion. Cold fusion offers the ability to modify the system
> registry. Hello? How can someone who rents websites allow every website
> owner on a machine to modify the registry which no doubt affects the
> machine
> security and every other website hosted on that machine? Is that secure in
> your opinion?
>

Ummm no.

> My point is to be secure and still use any of the power extensions like
> .NET
> or PHP you have to have your own server and you have to understand basic
> security or the pages and features you make available may very well be what
> opens you up to hacks.
>

Well D'oh!!!.

I can put up a page which says "upload your windows exec here & I
will run it as me..."

> For Randall, he'll need to decide what extensions he needs then he'll need
> to learn how the exploits for those extensions work so he knows the weak
> points and what sort of stuff to watch out for. Doing the patches and
> typica
> l machine security is easy compared to that and having control over the
> machine configuration instead of being stuck with some rent-a-server
> standard image config would make things a lot easier. I'd say do it
> yourself
> and deal with the learning curve.
>


Yup.

Serve static files where ever possible.


> Geo.
>
> If the rent a server folks provide you and 253 other websites with the
> ability to write code that can be the doorway a hacker uses to root the
> server then who are you supposed to blame when someone elses code is the
> reason your website got wiped out? Who do you blame that your server is
> unavailable for a week while they rebuild their server farm because that
> box
> was used to root the others? How do you know the hacker isn't one of the
> other 253 websites?
>
> The responsible disclosure folks have pretty much silenced the security
> community, the defaced websites tracking sites have pretty much been
> silenced as well so I can't point you to a site that shows how often this
> happens but people talk to me about their websites all the time and
> rootings
> are happening more often now than ever from what I can tell.
>
> When Glenn told me about his server, I showed the form letter to our techs,
> one of them who has his site hosted on some india web host laughed and told
> me it was nothing. A week later his site went down due to a rooting and was
> down for a week. Then again last month his site went down due to a rooting,
> he's now getting the idea that maybe there was more to what I was telling
> him than he thought although he's still not convinced the problem is all
> the
> checked checkboxes for server extensions.
>
> There are some good hosting services out there but the only way I know to
> find them is to ask people who have used them for a year or longer.
>
D'oh!!! turn off everything you aren't using !!!

& then some e.g. make sure that the site is hosted by racks where each
jsp pizza box has a different root but where any one is capable of being
pulled at a moments notice & then use a http switching/balancing  proxy
& make sure the datastore is on a very hard to reach machine (e.g only
accept any connections from these boxes on this port).

Adam

--- BBBS/NT v4.01 Flag-5