Ran across a web server the other day that had an active exploit running that allowed unrestricted remote shell access. The exploited vulnerability was in the Horde suite (PHP) of web applications. The Horde team had disclosed the vulnerability and had patched it more than a year ago. However, the exploit had been executed toward the end of May of this year (2007).

I'm being vague as to the web server details because I want to protect the identity of the webserver operators. I believe they thought, based on the claims of the Hacker Safe service they subscribed to, that they were doing everything in their power to prevent hackers from authorized access to their server.

When I was administering the server for unrelated reasons I found the exploit running bound to port 80 and owned by the user apache. Thus it was not, yet, a root-level exploit. Nevertheless, seeing a process name "bash" running from /dev/shm is not a heartwarming event. Once I tracked down the vector of compromise (Horde) and verified that it was closed off, I swept the computer for other compromises in play.

One of my searches (for the Turkish Hacker PHP include injection) revealed that the compromised web server subscribed to the HACKER SAFE service by Scan Alert. In fact, Scan Alert was, at the time of my discovery of the compromise, declaring that the server was meeting the highest level of published government standards for security.

Time to revise those published standards, eh, folks?

Or, perhaps, HACKER SAFE is more about a marketing tool than anything about a proactive prevention of compromises and exploited vulnerabilities.

What is the purpose of HACKER SAFE? Is it to reduce instances of compromise or is it to increase sales? Reading the Scan Alert site makes it clear there is a marketing component to their service, which is natural. However, under the menu "Security" the bottom-line service is a test to measure conversion rate increase while using the HACKER SAFE mark:

Placing the HACKER SAFE certification mark on your web site has
been proven to increase visitor-to-sales conversion rates. Our
technology allows customers without in-house data mining tools
to scientifically measure the effects HACKER SAFE certification
has on their business by conducting a sales analysis.
ScanAlert's sales analysis technology uses an A/B test
methodology in which half of the site's visitors see a HACKER
SAFE certification mark while the other half (the control group)
do not. Our sales analysis service includes installation support
and real-time graphical reporting.

Hopefully the web server operators with the year-old unpatched vulnerability and the month-and-a-half old active exploit increased their conversion rate with the HACKER SAFE server -- they surely didn't get any security benefit from their subscription. I wonder how the customers would feel knowing that the HACKER SAFE logo meant, basically, nothing more than a marketing ploy.