Bob,
If they had a folder on a desktop, you have to assume that your server
was hacked, rooted, and your account was exploited. The safest thing to
do would be to change all of your administrative passwords everywhere on
your network, and rebuild that server from a formatted disk. You could
of course try to save the installation, but I have seen many such
servers re-hacked and that suggests that being rooted is more common
than not. Firewalling everything that isn't absolutely necessary is
also very wise, and may have prevented this in the first place.
They probably made their way in through some OS, service or scripting
hack. Common targets of phishers is often any tool that allows uploads
of one form or another such as content management systems/wiki's or
discussion boards. For instance, PHP-Nuke is a favorite, and anything
that comes with a control panel hosting environment.
Lots of luck,
Matt
Bob McGregor wrote:
this is a bit off-topic but
we had one of our servers last night have the ebay spoof page loaded on it.
Anyone have info as to how this gets loaded and, more imporantly how to keep it
from happening?
The only things I found was the htm page that was referenced in the spam e-mail
and a folder on the desktop named sign in_files with the images associated with
the page.
I want to keep it from happening again.
thanks, bob
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
