[ale] I've been hacked!
Mike Harrison
meuon at geeklabs.com
Thu Nov 22 09:12:08 EST 2007
> That's what I'm trying to figure out. I just looked and it came back. I
> started looking closer and every index.html has the same code.
I haven't had to clean one of those out in a few years, but I'll bet the
techniques are the same, and there is something running as root, possibly
via a cron or an altered cron that is adding that to every index.html
file. The vector may be a bad CGI program, or something on the server like
sqwebmail - which I recently had a server nailed via an exploit in.
I had just done 'apt-get install courier...' and it was nailed 10 minutes
later while I was still configuring things.
While obsfuctation isn't really a valid technique, I'm back to renaming
any common CGI/PHP programs to something a little odd, keeps the
auto-infecting robot scanner programs from finding them anyway.
Luckily, this one isn't your server, the bad news is that it isn't your
server... so you can't fix it.
More information about the Ale
mailing list