Charles Campbell held forth: on 09/26/2012 09:52 AM:
doak wrote:
Hi,
On 25.09.2012 23:00, John Beckett wrote:
But in reality, there is not enough spam to warrant any messing
around.
In my oponion this is not related to spam.
As Marc Weber has already stated, I think it looks like an attack on the web server. As
far as I understand the issue, the uploaded "jpeg" tests if an already injected
file exists or it test if the execution of the php code works.
As there were four (!) uploads of the same content, it looks like something
else was tried and the result was tested again.
I guess the uploaded content was only some stuff we noticed. The real issue
could be undetected yet.
May I suggest that our hardworking moderators should check on .htaccess
files' timestamps/content (if any). Setting up a cron job to download
any and all .htaccess files from the server and insuring that their
contents haven't changed might be a fairly straightforward action.
Regards,
C Campbell
With all due respect, Dr., I'd suggest that at least a check of 'ctimes'
(to catch replaced files within the DocRoot or config areas of the HTTP
server) on or (soon) after the placement of the suspect images might be
warranted. htaccess might not be the (only?) target. Beyond that, if
there's truly concern about malicious activity on that server, full
forensics would be apropos - but that's a much larger discussion.
I wonder if tripwire or similar is in use on the site...
/Bill
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
