Elise Bauer and Arvind Satyanarayan have a short tutorial on using CGIWrap or suEXEC on *NIX/Apache MovableType installations. If you are using MT as your content management system and aren't already using CGIWrap or suEXEC you should read this article. This, of course, assumes that your host has CGIWrap or suEXEC installed (MT installs a utility called mt-check.cgi that, inter alia, tests for this so you can check before proceeding).
The article also recommends, if you aren't doing dynamic
publishing, to set permissions on mt.cfg and mt-db-pass.cgi to
600 (e.g., chmod 600 mt.cfg) to protect it from
intrusion. In addition, they suggest setting a .htaccess file
in the same directory as mt.cfg with parameters to restrict
access (see the article for the specific code).
Given the problems I've had with comment spammers, these are good recommendations. One thing they don't mention, but I recommend, is to close comments on individual articles after a period of time. I don't know why, but spammers love to hit posts that a older than a couple of weeks. If you routinely close comments after, say eight to 10 days, you can stop them in their tracks.
But remember, you have to make these changes. If you think no one would try to hack your site, think about this. Before the authors of the tutorial actually did the things they recommended, a spammer was able to access their index template and modify it to show a pop-up add to everyone who viewed their site. So, not only can it happen, it already has. And according to a follow-up at their site, the exploit involves not only MT sites but also WordPress and perhaps others. The bottom line for the exploit seems to be set your permissions to 600 on mt.cfg and mt-db-pass.cfg.
Comments (1)
Hi Dan,
I think the more likely cause of the attack on my site was not on the index templates but on a lot of the file pages whose permissions were set to 666 (because I hadn't uncommented the Umask settings). I had several templates linked to files. Once those files were changed, the template would change when I rebuilt them. I'm not certain, of course, but this seems to be most likely. That said, I discovered in the process that my site was still vulnerable to having its db password and username revealed by a simple php script that anyone else on my shared server could have run. The way to protect against such a script was to set tighter permissions on the mt.cfg and db-pass.cgi files.
Regarding comment spam, I've listed a bunch of things one can do at the following tutorial which you might find helpful:
http://www.elise.com/mt/archives/000246concerning_spam.php
Best,
Elise
Posted by elise | October 6, 2004 10:54 AM
Posted on October 6, 2004 10:54