Article 16042 at 09/09/17 02:03:38 From: webmaster (at mark) muntada.com Subject: [coba-e:16042] Phishing Scams

Index: [Article Count Order] [Thread]

Date:  Wed, 16 Sep 2009 13:03:33 -0400
From:  Abdul Rashid Abdullah <webmaster (at mark) muntada.com>
Subject:  [coba-e:16042] Phishing Scams
To:  "coba-e (at mark) bluequartz. org" <coba-e (at mark) bluequartz.org>
Message-Id:  <C6D692A5.161FB%webmaster (at mark) muntada.com>
In-Reply-To:  <FAC6EC86CBB94943B0523EBA409F8EB6@raqware>
X-Mail-Count: 16042

Twice now two sites on one of my servers has been infected with a list of
directories containing php files that were used to launch phishing scams.  I
am unsure how these files were uploaded to the system.

I have changed my root/admin password.  I checked the timestamps but
couldn't find anything in the logs to show the upload.

Any ideas of what I could do to track this down?  The first time I chocked
it up to the fact that there some old CGI scripts on the site (Matt Wright,
Selena Sol stuff).  The second time now I am concerned because the site only
had php stuff on it.  The only kind of CGI running is the OpenWebMail.  Not
sure if there is an exploit there but I couldn't readily see anything.

Anyone else having any issue like this?

Regards,

Rashid