Insecure, Downtime, etc

I received an odd email from Liz the other day:

> Apparently your blog site is open to hax0rs

A quick visit to my blog revealed a server misconfiguration ("error 500") page. I had a quick check through the blogs, posts to LoweyPages and the code for both revealed that nothing had been compromised, but I took both down just in case while I had a look through. Besides, it wasn't going to make any vast difference to people visiting as the server was quite clearly b0rked.

Anyway I had a quick look and couldn't find anything that would allow a hacker access to any passwords or anything that might trick the blog into allowing unauthorised posts or anything. When I found out who had originally suggested the site was at risk from being hacked I emailed them to find out what made them think it was insecure.

It turned out the site had been providing directory listings access to the public_html directory, the cgi-bin directory and so all the files were readable. Luckily no-one could read the source files for the scripts, as the site had actually been relying on security through obscurity until today. This was just because it was easier, but I've made it much safer now (just in case the source should ever see the light of day).

Anyway the only real problem I could see was that the logs for the blog and LoweyPages were accessible via the web. This was just for ease of access, but as pointed out by Shiny they were grep-able to find out where I generally logged in from so they could packet-sniff. Not that I see anyone going to that much trouble, but it does make sense to move them somewhere a little safer.

Anyway, the server is now back online again after I emailed the admin and the blog is now online and a little bit more secure. The only question is whether my password works with the new system ...