[thelist] Hacked by kerem125

Chris Dempsey evolt at cubeit.co.uk
Fri Feb 2 10:57:33 CST 2007 

Thanks for the further details.  Just to clarify it's not one of our hosts
or clients that is affected [although one of our directors happens to be on
the board of the company with the issue].  The owner of the website has
managed to contact their host and they are looking at this now.

I will look at this further when time allows for my own information.

Thanks again.

-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Mark Groen
Sent: 02 February 2007 15:48
To: thelist at lists.evolt.org
Subject: Re: [thelist] Hacked by kerem125

On Friday 02 February 2007 06:36, Chris Dempsey wrote:

> Anyone seen this before or know of a way to identify exactly what has been
> compromised?  I'm guessing that someone simply gained access via FTP and
> changed the default page.

In the past couple years the bot-net/trojan launched from a web page or in
an 
attachment and the SQL-injection methods have been most popular, iirc. Don't

know what that dormant bot-net is going to do once it lets loose, but that's

another subject...

Another popular hack is to get an account at a web host, and attack
internally 
with a kit that (rootkit for lack of a better term) exploits by prepending
or 
appending to the file server's web page output, then either frames the 
Cpanel, Plesk etc. (host's customer control panel) and snags passwords for 
later use, or simply redirects to a "hah hah" page.

Which is what *may* be happenning here. The implication is that the host 
provider may not be quite up to date, or is allowing the mod_layout (custom 
Apache mod) to be inserted etc. etc. - after everything has settled down, 
change your passwords (mixed cAsE plus at least one number, minimum) and 
ensure all server input from site visitors is sanitized. 

Check with the host and see if other sites are in the same boat, (use their 
forum if they have one for example) if so, then it may not be your clients' 
web site files that have a hole, but check anyways.
-- 
cheers,

        mark
-- 

* * Please support the community that supports you.  * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester 
and archives of thelist go to: http://lists.evolt.org 
Workers of the Web, evolt !

More information about the thelist mailing list