in reply to Company hacks through my Perl's Website Security hole

As a professional sysadmin, I can say that it isn't your fault if someone takes down the entire box thanks to your carelessness. Don't expect the admins to like you afterwards though.

I'm not quite following how they 'hacked in' though. What's that code you posted? Were you running code submitted to a webpage or something? You sure had it coming if you did.

I'm getting DNS errors trying to get to the site you mentioned. That doesn't necessarily mean the webserver has been hacked, but probably something is wrong with their systems.

And a quick update, clarifying the first paragraph. It's the sysadmin's job to protect users from themselves. Sometimes the sysadmin is unable to protect the system from the boneheaded users. However ultimately the sysadmin decides who gets to run what, with what priority and how much system resources they may use.

If they flub this, or if the OS contains a compromise, then it gets filed under "shit happens", they pull the backup tapes off the rack, and life goes on.

____________________
Jeremy
I didn't believe in evil until I dated it.

  • Comment on Re: Company hacks through my Perl's Website Security hole

Replies are listed 'Best First'.
Re: Re: Company hacks through my Perl's Website Security hole
by diotalevi (Canon) on May 21, 2004 at 16:41 UTC
    That code as written allows anyone to run arbitrary programs. $file was supplied by the user and given to two-arg open which when the filename ends in a pipe symbol is interpreted as a shell command to run.
[reply]
      update: This post works a lot better as a reply to pzbagel, which is where it should be... except that I clicked the wrong link. My bad.

      The system should have been protected by privilege separation. This guys account gets hacked, the hackers muck around... the sysadmin deletes the account. No worries.

      Except it didn't work that way, this time. I can't even figure out from the parent post what actually happened. Perhaps a lightning strike took out the server room just as he realised his mistake?

      ____________________
      Jeremy
      I didn't believe in evil until I dated it.

[reply]
        The system should have been protected by privilege separation. This guys account gets hacked, the hackers muck around... the sysadmin deletes the account. No worries.
        Privilege separation good. But the bad guys can usually find a way to escalate their privileges once they've got a foot in the door, so I wouldn't go so far as to say "no worries".
[reply]

In Section Seekers of Perl Wisdom