Thanks for the further details. Just to clarify it's not one of our hosts or clients that is affected [although one of our directors happens to be on the board of the company with the issue]. The owner of the website has managed to contact their host and they are looking at this now. I will look at this further when time allows for my own information. Thanks again. -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Mark Groen Sent: 02 February 2007 15:48 To: thelist at lists.evolt.org Subject: Re: [thelist] Hacked by kerem125 On Friday 02 February 2007 06:36, Chris Dempsey wrote: > Anyone seen this before or know of a way to identify exactly what has been > compromised? I'm guessing that someone simply gained access via FTP and > changed the default page. In the past couple years the bot-net/trojan launched from a web page or in an attachment and the SQL-injection methods have been most popular, iirc. Don't know what that dormant bot-net is going to do once it lets loose, but that's another subject... Another popular hack is to get an account at a web host, and attack internally with a kit that (rootkit for lack of a better term) exploits by prepending or appending to the file server's web page output, then either frames the Cpanel, Plesk etc. (host's customer control panel) and snags passwords for later use, or simply redirects to a "hah hah" page. Which is what *may* be happenning here. The implication is that the host provider may not be quite up to date, or is allowing the mod_layout (custom Apache mod) to be inserted etc. etc. - after everything has settled down, change your passwords (mixed cAsE plus at least one number, minimum) and ensure all server input from site visitors is sanitized. Check with the host and see if other sites are in the same boat, (use their forum if they have one for example) if so, then it may not be your clients' web site files that have a hole, but check anyways. -- cheers, mark -- * * Please support the community that supports you. * * http://evolt.org/help_support_evolt/ For unsubscribe and other options, including the Tip Harvester and archives of thelist go to: http://lists.evolt.org Workers of the Web, evolt !