Exploratory Question for Security Admins (/etc/passwd + PHP)
- by JPerkSter
Hi everyone,
I've been seeing a few issues lately on a few of my servers where an account gets hacked via outdated scripts, and the hacker uploads a cPanel / FTP Brute forcing PHP script inside the account.
The PHP File reads /etc/passwd to get the usernames, and than uses a passwd.txt file to try and brute force it's way in to 127.0.0.1:2082.
I'm trying to think of a way to block this. It doesn't POST anything except "GET /path/phpfile.php", so I can't use mod_security to block this.
I've been thinking of maybe changing permissions on /etc/passwd to 600, however I'm unsure how this will result in regards to my users.
I was also thinking of rate-limiting localhost connections to :2082, however I'm worried about mod_proxy being affected.
Any suggestions?