Root owned the files. I have changed the root password. It was a 15
character, 2 Upper, 2 Lower, 2 Special, 2 Number minimum password randomly
generated.
On 9/16/09 1:31 PM, "Michael Stauber" <bq (at mark) solarspeed.net> wrote:
> Hi Rashid,
>
>> Any ideas of what I could do to track this down? The first time I chocked
>> it up to the fact that there some old CGI scripts on the site (Matt Wright,
>> Selena Sol stuff). The second time now I am concerned because the site
>> only had php stuff on it. The only kind of CGI running is the OpenWebMail.
>> Not sure if there is an exploit there but I couldn't readily see anything.
>
> Which user owned the phishing files? If it was user "apache" it could have
> been that these files came aboard through a vulnerable PHP script.
>
> If the files were owned by a user account, then it may be likely that they
> were uploaded through FTP through a compromised user account (weak password
> that has been guessed).