----- Original Message -----
From: "Abdul Rashid Abdullah" <webmaster (at mark) muntada.com>
To: "coba-e (at mark) bluequartz. org" <coba-e (at mark) bluequartz.org>
Sent: Thursday, September 17, 2009 3:15 AM
Subject: [coba-e:16044] Re: Phishing Scams
> Root owned the files. I have changed the root password. It was a 15
> character, 2 Upper, 2 Lower, 2 Special, 2 Number minimum password randomly
> generated.
>
>
> On 9/16/09 1:31 PM, "Michael Stauber" <bq (at mark) solarspeed.net> wrote:
>
>> Hi Rashid,
>>
>>> Any ideas of what I could do to track this down? The first time I
>>> chocked
>>> it up to the fact that there some old CGI scripts on the site (Matt
>>> Wright,
>>> Selena Sol stuff). The second time now I am concerned because the site
>>> only had php stuff on it. The only kind of CGI running is the
>>> OpenWebMail.
>>> Not sure if there is an exploit there but I couldn't readily see
>>> anything.
>>
>> Which user owned the phishing files? If it was user "apache" it could
>> have
>> been that these files came aboard through a vulnerable PHP script.
>>
>> If the files were owned by a user account, then it may be likely that
>> they
>> were uploaded through FTP through a compromised user account (weak
>> password
>> that has been guessed).
>
Abdul
If root owned the files then you might need to cmu export, wipe the server,
then re-import to a fresh server.
----
Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.
http://www.precisionweb.net