All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Ars Technica: Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd, too
Don't want to stir up unneeded paranoia, however, I'd advise, just to be safe, that everyone use rpm --verify on their appropriate webserver binaries/packages...
For Debian/Ubuntu, you can use the debsums command (very nice tool):
For example, to check the integrity of Apache 2.2 on Ubuntu/Debian:
apt-get update && apt-get install debsums
debsums_init --> this updates the md5 db
debsums apache2.2-bin
debsums apache2.2-common
... Every file shows should show "OK". If not, then you should investigate obviously.
For apache, you may want to check more than the above packages, but the above two are minimum check/starting point.
Of course, modify accordingly for nginx/lighttpd etc.
Comments
This the same one that was already fixed in Nginx 1.4.1 and 1.5.0 ?
Edit: yep was a vulnerability in 1.3.9->1.4.0, but been fixed in 1.4.1 and 1.5.0 yesterday, and far as FreeBSD goes those versions are already committed to the ports.
I think they're also updated in dotdeb too for debian/ubuntu (and likewise would be updated with the Ubuntu PPA which I'd prefer over dotdeb for nginx).
Thanks for the tip, I checked all my servers with that and they all come back good, and I've noticed no strange activity lately. Good luck to everyone.
time for everyone to write our own httpds
Sounds like a good way to multiply the amount of exploits.
LoL , especially when re-inventing the wheel you're probably going to open yourself up to bout a hundred different exploits that have already been patched up in the popular engines.
that or just end up with a very secure, but slow-as-shit-buggy-server.
It's only beneficial to kids copying exploit tutorials and its "how to", they won't get that anymore. But a real attacker will likely have fun choosing an exploit to use
Indeed, Knowing is half the battle.
I did write my own web server once. Its reasonably fast (given its not in a compiled language), fairly low memory usage (event driven) and easily extensible but it is very short of built in features: static files and TCL scripts only - not even CGI support.
Probably my biggest waste of time project ever, except that I learned a lot.