[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] I've been hacked!

Subject: [ale] I've been hacked!
From: meuon at geeklabs.com (Mike Harrison)
Date: Thu Nov 22 09:12:08 2007
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]>

> That's what I'm trying to figure out.  I just looked and it came back.  I 
> started looking closer and every index.html has the same code.

I haven't had to clean one of those out in a few years, but I'll bet the 
techniques are the same, and there is something running as root, possibly 
via a cron or an altered cron that is adding that to every index.html 
file. The vector may be a bad CGI program, or something on the server like 
sqwebmail - which I recently had a server nailed via an exploit in.
I had just done 'apt-get install courier...' and it was nailed 10 minutes 
later while I was still configuring things.

While obsfuctation isn't really a valid technique, I'm back to renaming
any common CGI/PHP programs to something a little odd, keeps the 
auto-infecting robot scanner programs from finding them anyway.

Luckily, this one isn't your server, the bad news is that it isn't your 
server... so you can't fix it.

Follow-Ups:
- [ale] I've been hacked!
  - From: ale_nospam at fayettedigital.com (Jim Lynch)

References:
- [ale] I've been hacked!
  - From: chuck at cehuber.org (Chuck Huber)
- [ale] I've been hacked!
  - From: ale_nospam at fayettedigital.com (Jim Lynch)

Prev by Date: [ale] I've been hacked!
Next by Date: [ale] I've been hacked!
Previous by thread: [ale] I've been hacked!
Next by thread: [ale] I've been hacked!
Index(es):
- Date
- Thread