[lug] shared server hacked
Kenneth D. Weinert
kenw at quarter-flash.com
Wed Mar 2 21:31:35 MST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Evidently my hosting service suffered a major intrusion about the middle
of January.
I just found out that there was a problem today. I know I have a lot of
cleanup to do, but one of the things is that they've installed a file. I
was going to gzip it (to make it unusable but available), but I get the
message that there's one other link.
The question I have is one my mind has gone blank on - how to find the
"other end" of the link.
Thanks for any pointers.
Ken
BTW: this was a very interesting exploit. There are two other sites that
I'm hosting that I did all the development on so it's completely custom
software. I found at least two files that they've changed - they spent
the time to find where to include their code into my structure. This is
not exactly straight up code.
All the added files are owned by the account owner which indicates to me
that the hosting company had a root exploit. Good conclusion?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNbxmnAAoJELwlFgJPb4vsEHcH/3EetYiJG7QRnpd+7wj8MgY8
N+kglmtXJAFfrzIC+JBYO4Cnp6CCeXid1TmA+9sl/2T/TbQ+cHbRNYftz4Ua1MR9
mgGk3M0O7tMgEA+KmbvqSieaiwMdTLndWEimytq/ONgqCYGO/noluaoVBslWn2nz
ghCXLtuAsFYsHLMicoxaIc+Ue4jUHLgubGHkhz8noGbijXU6Xqjq+9r/j6psm21f
E8onWTHWwyLGXEXtN1ZfHL6+FPisLAXIOCQHu5qAs3Z9cy83rC6bQ9xvla+n9b5o
aIpGEW2cNzePcfsyAmLsHnA2xdinT7q3HKE06P9qz7fCi7D+6kyBjOkoXXW+hzk=
=hP7g
-----END PGP SIGNATURE-----
More information about the LUG
mailing list