[thelist] Hacked by kerem125

Mark Groen evolt at markgroen.com
Fri Feb 2 09:48:12 CST 2007

On Friday 02 February 2007 06:36, Chris Dempsey wrote:

> Anyone seen this before or know of a way to identify exactly what has been
> compromised?  I'm guessing that someone simply gained access via FTP and
> changed the default page.

In the past couple years the bot-net/trojan launched from a web page or in an 
attachment and the SQL-injection methods have been most popular, iirc. Don't 
know what that dormant bot-net is going to do once it lets loose, but that's 
another subject...

Another popular hack is to get an account at a web host, and attack internally 
with a kit that (rootkit for lack of a better term) exploits by prepending or 
appending to the file server's web page output, then either frames the 
Cpanel, Plesk etc. (host's customer control panel) and snags passwords for 
later use, or simply redirects to a "hah hah" page.

Which is what *may* be happenning here. The implication is that the host 
provider may not be quite up to date, or is allowing the mod_layout (custom 
Apache mod) to be inserted etc. etc. - after everything has settled down, 
change your passwords (mixed cAsE plus at least one number, minimum) and 
ensure all server input from site visitors is sanitized. 

Check with the host and see if other sites are in the same boat, (use their 
forum if they have one for example) if so, then it may not be your clients' 
web site files that have a hole, but check anyways.


More information about the thelist mailing list