[ale] I've been hacked!

Jim Lynch ale_nospam at fayettedigital.com
Thu Nov 22 09:37:08 EST 2007


Mike Harrison wrote:
>> That's what I'm trying to figure out.  I just looked and it came 
>> back.  I started looking closer and every index.html has the same code.
>
> I haven't had to clean one of those out in a few years, but I'll bet 
> the techniques are the same, and there is something running as root, 
> possibly via a cron or an altered cron that is adding that to every 
> index.html file. The vector may be a bad CGI program, or something on 
> the server like sqwebmail - which I recently had a server nailed via 
> an exploit in.
> I had just done 'apt-get install courier...' and it was nailed 10 
> minutes later while I was still configuring things.
>
> While obsfuctation isn't really a valid technique, I'm back to renaming
> any common CGI/PHP programs to something a little odd, keeps the 
> auto-infecting robot scanner programs from finding them anyway.
>
> Luckily, this one isn't your server, the bad news is that it isn't 
> your server... so you can't fix it.
Sure I can.  :-)           I'm moving to a different provider!  If the 
problem follows me I'll know it's something of mine.
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>



More information about the Ale mailing list