Disabling binaries in shared hosting scenarios
This a quick note and probably offtopic, probably not. But if you ever have a server dedicated to hosting multiple clients - you’ll want to remember this. It is very common for clients to install buggy software that ends up posing a threat to your hosting server. Either because a new vulnerability was disclosed and is unpatched, or simply because the installed software lacks any security at all.
As a result, one or more of your clients get hacked by worms. Worms tend to use the following commands while exploiting vulnerable software in order to download large pieces of payload that later get executed in order to mess things up even more. So we could say there’s stage 1 when the script gets hacked and let’s say a ‘command injection’ vulnerability is exploited, and stage 2 when the first small exploit downloads and executed the real thing, the malicious payload.
If you get to stage 2, then you’re lucky or in a big problem (start identifying the damage) - but the idea is to prevent one or more stage 2 situations. You don’t end up fixing a vulnerable script, no, but at least you lower the impact of the first automatic exploit.
The binaries that I tend to chmod to null (000) and by experience (ouch!) used by worms are:
- wget
- curl
- lpdownload
- GET
- links
- lynx
It *really* helps prevent large disasters. By NO MEANS this is the solution, no, but just a tip for webmasters.
Enjoy!