[thelist] Hacked by kerem125
Mark Groen
evolt at markgroen.com
Fri Feb 2 09:48:12 CST 2007
On Friday 02 February 2007 06:36, Chris Dempsey wrote:
> Anyone seen this before or know of a way to identify exactly what has been
> compromised? I'm guessing that someone simply gained access via FTP and
> changed the default page.
In the past couple years the bot-net/trojan launched from a web page or in an
attachment and the SQL-injection methods have been most popular, iirc. Don't
know what that dormant bot-net is going to do once it lets loose, but that's
another subject...
Another popular hack is to get an account at a web host, and attack internally
with a kit that (rootkit for lack of a better term) exploits by prepending or
appending to the file server's web page output, then either frames the
Cpanel, Plesk etc. (host's customer control panel) and snags passwords for
later use, or simply redirects to a "hah hah" page.
Which is what *may* be happenning here. The implication is that the host
provider may not be quite up to date, or is allowing the mod_layout (custom
Apache mod) to be inserted etc. etc. - after everything has settled down,
change your passwords (mixed cAsE plus at least one number, minimum) and
ensure all server input from site visitors is sanitized.
Check with the host and see if other sites are in the same boat, (use their
forum if they have one for example) if so, then it may not be your clients'
web site files that have a hole, but check anyways.
--
cheers,
mark
More information about the thelist
mailing list