Re: [Declude.Virus] the ebay spoof spam stuff

2006-06-14 Thread Matt

Bob,

If they had a folder on a desktop, you have to assume that your server 
was hacked, rooted, and your account was exploited.  The safest thing to 
do would be to change all of your administrative passwords everywhere on 
your network, and rebuild that server from a formatted disk.  You could 
of course try to save the installation, but I have seen many such 
servers re-hacked and that suggests that being rooted is more common 
than not.  Firewalling everything that isn't absolutely necessary is 
also very wise, and may have prevented this in the first place.


They probably made their way in through some OS, service or scripting 
hack.  Common targets of phishers is often any tool that allows uploads 
of one form or another such as content management systems/wiki's or 
discussion boards.  For instance, PHP-Nuke is a favorite, and anything 
that comes with a control panel hosting environment.


Lots of luck,

Matt


Bob McGregor wrote:


this is a bit off-topic but

we had one of our servers last night have the ebay spoof page loaded on it. 
Anyone have info as to how this gets loaded and, more imporantly how to keep it 
from happening?

The only things I found was the htm page that was referenced in the spam e-mail 
and a folder on the desktop named sign in_files with the images associated with 
the page.

I want to keep it from happening again.

thanks, bob



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.



 




---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.



RE: [Declude.Virus] the ebay spoof spam stuff

2006-06-14 Thread Colbeck, Andrew
Bob, drop an email to the handler on duty at http://isc.sans.org/ for
some general advice.  They may also have some specific reference to
point you to regarding a vulnerability or they may recognize the modus
operandi of what you saw.  I don't recognize it, myself.

Generally speaking, your best bet is to take that machine offline and
rebuild it from known good sources.

Andrew 8)


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
 Behalf Of Bob McGregor
 Sent: Wednesday, June 14, 2006 11:37 AM
 To: Declude-List
 Subject: [Declude.Virus] the ebay spoof spam stuff
 
 this is a bit off-topic but
 
 we had one of our servers last night have the ebay spoof page 
 loaded on it. Anyone have info as to how this gets loaded 
 and, more imporantly how to keep it from happening?
 
 The only things I found was the htm page that was referenced 
 in the spam e-mail and a folder on the desktop named sign 
 in_files with the images associated with the page.
 
 I want to keep it from happening again.
 
 thanks, bob
 
 
 
 ---
 This E-mail came from the Declude.Virus mailing list.  To 
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.Virus.The archives can be found
 at http://www.mail-archive.com.
 
 


---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.