On Wed, Jan 27, 2010 at 9:35 AM, Nilesh Govindarajan
<lists@itech7.com> wrote:
On 01/27/2010 08:01 PM, Gerhard Killesreiter wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adam Gregory schrieb:
This is more a server security issue rather than a Drupal one. I've seen
this happen with Drupal, Joomla, Wordpress and custom PHP code. It
really most likely means that access to the server/host was compromised
at some point.
There are lost of things that can be done to prevent this like
chmod/own-ing your file system correctly(As Gerhard touched on). This is
also a good reason to use SFTP rather then FTP as passwords in SFTP are
sent encrypted and FTP are not leaving them open to a *man-in-the-middle
attack.*
People still using FTP in 2010 should be shot on sight.
Cheers,
Gerhard
Public mirrors do use them ?
FTP is good if you can configure it properly. It can be a big bug in the security as happened in this case if not configured properly :)
Yes, but public mirrors do not require passwords. What Gerhard is talking
about is uploading stuff to your site via an FTP account with a user name
and password.