lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri Jun  2 17:36:14 2006
From: colin.75 at btinternet.com (Colin Copley)
Subject: Files keep appearing

Files keep appearingHi

Have you taken a look from the outside as it were, at the website that is hosted above the /Resources directory where they keep appearing?

Are they being uploaded through some insecure feature the webdevelopers have bolted onto the page, upload your CV / Docs kind of thing?

That would look like legit site traffic in your connection logs. 

Any  .pl / ,php / .asp scripts in or around that directory & do they log the filenames?  

It could be that the site itself is insecure presenting the phisher a way in despite running a fully patched server.

The original site could even be a smokescreen in which to hide the phishing pages...  

> - no connections were made on my server 

Remember if your webserver has been compromised through a known vuln or 0day the logs could be lying.

Regards
Colin
  ----- Original Message ----- 
  From: Stephen Johnson 
  To: Untitled 
  Sent: Friday, June 02, 2006 5:08 AM
  Subject: [Full-disclosure] Files keep appearing


  I keep having a phishing website appear on my web server.  

  They keep showing up in a Resources folder of one of the sites that I host.  I have gone through the logs and I am not seeing any connections.  I deleted the files this morning and this evening they re-appeared - no connections were made on my server during that period of time. 

  Also, there are no cron jobs that I noticed that looked out of the ordinary. 

  I am running MySQL, PHP, Apache2 on a debian linux server. 

  Any thoughts? 

  -- 
  Stephen Johnson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060602/fff68775/attachment.html

Powered by blists - more mailing lists