Register or have you forgotten your password?
Get the most out of Surmunity, read our tips here! Need an interesting blog to read? You've got to read the Surpass Blog!
| Welcome! Please register to access all of our features.
| Site Maintenance Program updates, securing your website, creating backups. |
 |
|
|
LinkBack | Thread Tools | Search this Thread |
November 7th, 2006, 12:58 AM
|
#1 (permalink) |
|
Searcher
Surpass Staff
Joined in May 2003
Lives in Orlando
24,699 posts
Gave thanks: 943
Thanked 806 times
|
PHPsuexec : The Results : 1 Year
The Decision
Exactly a year ago in November 2005 we began to implement PHPsuexec on our new servers. We were one of the first hosts to implement PHPsuexec and admittedly were a bit nervous venturing into this territory. November 2005 was actually the second time we tried to introduce it, the first time which failed was a year before in September 2004. Last year we finally decided that it was the right time and that users were more ready than before. We have arrived to the conclusion that this has been an extremely beneficial decision, for ourselves and for all of you, from a security and abuse standpoint. The Data Because we are now having a PHPsuexec anniversary of sorts, I thought it was time to take a moment (well it was a few hours  ) and compile some data so you can see the benefits with your own eyes. It was amazing to see the results (or lack of!) for each server.- These results are based on reports from June 2006 until November 2006. I searched for both hostname and IP address in all of our abuse reports and help desk reports. (Thousands of reports are in this time frame.) - In 1 year we have launched 19 shared servers, so this is a sampling from our 19 machines with PHPsuexec enabled and the 19 servers immediately before those without phpsuexec. In other words, SH69-SH87 vs. SH88-SH106. - In these graphs we cover the three major abuse issues, Email source = number of times the server was used as a spam source (for example, 2 means that on two occasions a file or script was used to send out hundreds or thousands of emails) Phish uploads = number of times the server was used to host a phish page Bot reports = number of times the IP was reported in bot scans/attacks  
__________________
Follow Surpass on Twitter and Facebook
Check out interesting finds on the Surpass Blog   .... it's coming. |
|
    
|
| This user thanks Kayla for this great post! | benjamin (November 7th, 2006) |
|
November 7th, 2006, 1:11 AM
|
#2 (permalink) |
|
Searcher
Surpass Staff
Joined in May 2003
Lives in Orlando
24,699 posts
Gave thanks: 943
Thanked 806 times
|
On the non-phpsuexec servers, the amount of phish uploads is important because this also means that other scammers were able to upload files to mass send mail (most commonly and not very imaginatively named mailer.php) so that is why the email source column is also high.
On the phpsuexec servers the ability to upload files into random 777 directories is completely reduced. Random spam sent on those (419, phish, etc) happens only because of a certain type of mail script used by the account holder. If you have any questions about these results please reply here and let me know. I'd be very happy to go into this deeper.
__________________
Follow Surpass on Twitter and Facebook
Check out interesting finds on the Surpass Blog .... it's coming. |
|
|
|
|
November 7th, 2006, 2:13 AM
|
#3 (permalink) |
|
Surpass Fan
Excelling Contributor
Joined in Nov 2005
Lives in Colorado
Hosted on DEDI
934 posts
Gave thanks: 2
Thanked 94 times
|
Thanks for putting these results together.
Running PHP as a SetUser, translates to the exploits on the phpSUexec servers being the direct responsibility of the user with the password, not just because someone found a door open for the world to enter. Removing the user caused exploits, the chart will be all zeros.
__________________
Where would you be if you were at the highest court in the land (US)? |
|
|
|
| This user thanks cowboy for this great post! | Kayla (November 7th, 2006) |
