Jacque, This usually happens once one of two things happens:
1 - you have a compromissed FTP account. Maybe one collaborator lost your FTP account or an infected machine is harvesting them from your HD (more common on windows). Something caused the FTP account to be compromissed, after that the hacker uploads a single PHP script and calls this script with CURL or something similar, this causes the script to execute on the server. This script is usually a bootstrap script that will download more nastiness and infect other files. 2 - an exploit on some software you're using on the server side. This mostly happens when using stuff you didn't built such as Wordpress or others popular CMS. Wordpress is a big target for hackers because it is the most popular CMS out there. Be aware that if you're LiveCodeServer application has an upload feature such as "upload your photo" form that works by saving the uploaded file somewhere and then sending it to the browser when needed, for example by using something similar to: <img src="photos/<?rev put photoFilePath ?>" /> Where you simply send an image with its source pointing to the uploaded file. This is a major risk because if the hacker uploads a PHP file instead of a nice mug shot. The PHP file will be executed when the browser request that image. If you're accepting files on forms, always check the file with a command like: function filetype pFile return shell("file --mime" && pFile) end filetype This function will return the MIME type for a given file on Mac OS X or Linux (any Unix I think...). On Fri, Jun 15, 2012 at 12:29 AM, J. Landman Gay <jac...@hyperactivesw.com>wrote: > On 6/14/12 8:58 PM, stephen barncard wrote: > >> these guys would pack a string of URLEncoded PHP code with no white space >> into a global, then decode and call it. It was usually placed at the >> bottom >> of one's document. >> > > It's still not clear to me how they did this. > > The security snafu was a year ago and the hacker didn't get any passwords, > only a few user names. Unless anyone's password is "12345" I kind of doubt > this recent incident is related, and it was a long time ago anyway. > > Is there a likely explanation how they got in this time? Something we > should watch out for? > > > -- > Jacqueline Landman Gay | jac...@hyperactivesw.com > HyperActive Software | http://www.hyperactivesw.com > > ______________________________**_________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/**mailman/listinfo/use-livecode<http://lists.runrev.com/mailman/listinfo/use-livecode> > -- http://www.andregarzia.com -- All We Do Is Code. http://fon.nu -- minimalist url shortening service. _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode