[ale] I've been hacked!

Mike Harrison meuon at geeklabs.com
Thu Nov 22 09:12:08 EST 2007


> That's what I'm trying to figure out.  I just looked and it came back.  I 
> started looking closer and every index.html has the same code.

I haven't had to clean one of those out in a few years, but I'll bet the 
techniques are the same, and there is something running as root, possibly 
via a cron or an altered cron that is adding that to every index.html 
file. The vector may be a bad CGI program, or something on the server like 
sqwebmail - which I recently had a server nailed via an exploit in.
I had just done 'apt-get install courier...' and it was nailed 10 minutes 
later while I was still configuring things.

While obsfuctation isn't really a valid technique, I'm back to renaming
any common CGI/PHP programs to something a little odd, keeps the 
auto-infecting robot scanner programs from finding them anyway.

Luckily, this one isn't your server, the bad news is that it isn't your 
server... so you can't fix it.





More information about the Ale mailing list