[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Files keep appearing
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Files keep appearing
- From: "Colin Copley" <colin.75@xxxxxxxxxxxxxx>
- Date: Fri, 2 Jun 2006 17:41:49 +0100
Files keep appearingHi
Have you taken a look from the outside as it were, at the website that is
hosted above the /Resources directory where they keep appearing?
Are they being uploaded through some insecure feature the webdevelopers have
bolted onto the page, upload your CV / Docs kind of thing?
That would look like legit site traffic in your connection logs.
Any .pl / ,php / .asp scripts in or around that directory & do they log the
filenames?
It could be that the site itself is insecure presenting the phisher a way in
despite running a fully patched server.
The original site could even be a smokescreen in which to hide the phishing
pages...
> - no connections were made on my server
Remember if your webserver has been compromised through a known vuln or 0day
the logs could be lying.
Regards
Colin
----- Original Message -----
From: Stephen Johnson
To: Untitled
Sent: Friday, June 02, 2006 5:08 AM
Subject: [Full-disclosure] Files keep appearing
I keep having a phishing website appear on my web server.
They keep showing up in a Resources folder of one of the sites that I host.
I have gone through the logs and I am not seeing any connections. I deleted
the files this morning and this evening they re-appeared - no connections were
made on my server during that period of time.
Also, there are no cron jobs that I noticed that looked out of the ordinary.
I am running MySQL, PHP, Apache2 on a debian linux server.
Any thoughts?
--
Stephen Johnson
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/