Re: [Full-disclosure] Files keep appearing

[Colin Copley]

Title: Files keep appearing

Hi   Have you taken a look from the outside as it were, at the website that is hosted above the /Resources directory where they keep appearing?   Are they being uploaded through some insecure feature the webdevelopers have bolted onto the page, upload your CV / Docs kind of thing?   That would look like legit site traffic in your connection logs.   Any  .pl / ,php / .asp scripts in or around that directory & do they log the filenames?    It could be that the site itself is insecure presenting the phisher a way in despite running a fully patched server.   The original site could even be a smokescreen in which to hide the phishing pages...    > — no connections were made on my server   Remember if your webserver has been compromised through a known vuln or 0day the logs could be lying.   Regards Colin ----- Original Message ----- From: Stephen Johnson To: Untitled Sent: Friday, June 02, 2006 5:08 AM Subject: [Full-disclosure] Files keep appearing I keep having a phishing website appear on my web server.   They keep showing up in a Resources folder of one of the sites that I host.  I have gone through the logs and I am not seeing any connections.  I deleted the files this morning and this evening they re-appeared — no connections were made on my server during that period of time. Also, there are no cron jobs that I noticed that looked out of the ordinary. I am running MySQL, PHP, Apache2 on a debian linux server. Any thoughts? -- Stephen Johnson

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/