Thread: Server comprimised, now what?
View Single Post
Old 08-25-2011, 06:29 PM  
camperjohn64
Confirmed User
 
Industry Role:
Join Date: Feb 2005
Location: Los Angeles
Posts: 1,531
Quote:
Originally Posted by livexxx View Post
quite often someone will have uploaded a script somehow onto the server that is sitting in an image upload dir or some other directory. They can then call that up every now and then and it just fires off and scans all your dirs and adds that script to the end of files. So changing your passwords etc is like after the horse has bolted. try doing something like scan all your files for some of those data patterns providing they didnt encrypt their upload.
I turned off proftpd and the script is still being added to the files. This means it isn't a ftp upload / password issue. The horse has bolted.

This means the server, is infected with something.

It seems this will be my project for tonight. Must eat dinner now, but will try to find it.

Thoughts?
__________________
www.gimmiegirlproductions.com
camperjohn64 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote