Bob, drop an email to the handler on duty at http://isc.sans.org/ for some general advice. They may also have some specific reference to point you to regarding a vulnerability or they may recognize the modus operandi of what you saw. I don't recognize it, myself.
Generally speaking, your best bet is to take that machine offline and rebuild it from known good sources. Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Bob McGregor > Sent: Wednesday, June 14, 2006 11:37 AM > To: Declude-List > Subject: [Declude.Virus] the ebay spoof spam stuff > > this is a bit off-topic but > > we had one of our servers last night have the ebay spoof page > loaded on it. Anyone have info as to how this gets loaded > and, more imporantly how to keep it from happening? > > The only things I found was the htm page that was referenced > in the spam e-mail and a folder on the desktop named sign > in_files with the images associated with the page. > > I want to keep it from happening again. > > thanks, bob > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.