Article 16043 at 09/09/17 02:31:52 From: bq (at mark) solarspeed.net Subject: [coba-e:16043] Re: Phishing Scams

Index: [Article Count Order] [Thread]

Date:  Wed, 16 Sep 2009 19:31:45 +0200
From:  Michael Stauber <bq (at mark) solarspeed.net>
Subject:  [coba-e:16043] Re: Phishing Scams
To:  coba-e (at mark) bluequartz.org
Message-Id:  <200909161931.45885.bq (at mark) solarspeed.net>
In-Reply-To:  <C6D692A5.161FB%webmaster (at mark) muntada.com>
References:  <C6D692A5.161FB%webmaster (at mark) muntada.com>
X-Mail-Count: 16043

Hi Rashid,

> Any ideas of what I could do to track this down?  The first time I chocked
> it up to the fact that there some old CGI scripts on the site (Matt Wright,
> Selena Sol stuff).  The second time now I am concerned because the site
> only had php stuff on it.  The only kind of CGI running is the OpenWebMail.
>  Not sure if there is an exploit there but I couldn't readily see anything.

Which user owned the phishing files? If it was user "apache" it could have 
been that these files came aboard through a vulnerable PHP script.

If the files were owned by a user account, then it may be likely that they 
were uploaded through FTP through a compromised user account (weak password 
that has been guessed).

-- 
With best regards,

Michael Stauber