Date:  Thu, 30 Jul 2009 16:47:54 -0400
From:  "Darrell D. Mobley" <dmobley (at mark) uhostme.com>
Subject:  [coba-e:15857] Re: [LIKELY_SPAM]Root exploit on Blue Quartz
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <263DF6699ABD463C91BEDF666DE04885@HP9925NR>
In-Reply-To:  <448973.64445.qm (at mark) web65603.mail.ac4.yahoo.com>
References:  <9277B28805F641DA9DE8381463E3DE12 (at mark) HP9925NR> <448973.64445.qm (at mark) web65603.mail.ac4.yahoo.com>
X-Mail-Count: 15857

> -----Original Message-----
> From: Dan Kriwitsky [mailto:webhosting (at mark) yahoo.com]
> Sent: Thursday, July 30, 2009 4:00 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:15856] Re: [LIKELY_SPAM]Root exploit on Blue Quartz
>
> You'll notice in brute force attempts that they try root and don't know
> they must log in as admin.

Dan, I get the impression this person knew what he was doing.  They were
probing every URL on all the websites on the server, and when the
444/login.php was reached, the person logged in, created a new
administrative user with root access, and then logged in as that user
instead of trying root.  It wasn't an SSH brute force, it was simply "find
the 444 login and sign in."