Re: [Full-disclosure] what is this?

To: nick@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] what is this?
From: "crazy frog crazy frog" <i.m.crazy.frog@xxxxxxxxx>
Date: Mon, 14 Jan 2008 19:26:24 +0530
Cc: Untitled <full-disclosure@xxxxxxxxxxxxxxxxx>, PenTest <pen-test@xxxxxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=IIH0ADykDSKmLj4QvjgpSRQuvUgPF16Qf1cZ93xKzYE=; b=fmDOc6jVEbq2GMcMC0Y1V6BT7lYq2kBjRW3lwqMM6a7wA/3x2KCokQQ6bfiomSyVyrFLKQzBR3S99J6LCc+gttrDjwkl7Tuu2qT4DGlZZzHokLYbFkJluvpLeaS1mshOosnQSXNV5AzTZv1TbP40c/QsXB+TW6UYemRUbR+fij8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=i6h1qcs9t8K+uijxMJo8/54zqpE/5tsPiINGPC0+fPywEFZ4HmqsdgNJ/G2oMxYgQKa8gNCpF/1sew/FcbBRxH+k+66cxxwTfRowibgiqdunyHZmcp06l+GV7pJldZNVsX8LkqR3r8CHMi9NtwWDP922vUhdHJ0bTRPPVrFrZ/w=
In-reply-to: <478C03C7.20071.9C754256@xxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <41011d980801130801x67eb0243r6ed73ac8a16d0d2a@xxxxxxxxxxxxxx> <1785101118.20080114123448@xxxxxxxxxxxxxxxx> <478C03C7.20071.9C754256@xxxxxxxxxxxxxxxxxxxxxxxx>

hmm.thanks everyone for the suggestions.

On Jan 14, 2008 5:22 PM, Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx> wrote:
> 3APA3A wrote:
>
> > Dear crazy frog crazy frog,
> >
> >   Clear  your  computer  from  trojan,  change FTP password for you site
> >   hosting  access,  because it's stolen, access your hosting account via
> >   FTP  and remove additional text (usually at the end of the file, after
> >   </html>) from all HTML/PHP pages.
>
> Ummmm -- the only part of that likely to be relevant here is the last.
>
> These kinds of web page "compromises" are typically achieved through
> bad/ill-configured/non-updated server-side web applications (or their
> underlying script engines) and are typically achieved without requiring
> any more special or privileged access to the victim sites than the
> ability to run a clever Google search or your own brute-force spidering
> via a bot-net, etc.
>
> Of course, simply removing the undesired iframe/script/etc tags from
> your compromised pages is not enough.  Although doing so does not mean
> that this attacker will come back, it equally does nothing to close the
> hole they used in the first place, and the next attacker searching for
> that hole will hit you just as easily and indiscriminately...
>
>
> Regards,
>
> Nick FitzGerald
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com

References:
- what is this?
  - From: crazy frog crazy frog
- Re: [Full-disclosure] what is this?
  - From: 3APA3A
- Re: [Full-disclosure] what is this?
  - From: Nick FitzGerald

Prev by Date: [SECURITY] [DSA 1460-1] New postgresql-8.1 packages fix several vulnerabilities
Next by Date: SQID v0.3 - SQL Injection Digger.
Previous by thread: Re: [Full-disclosure] what is this?
Next by thread: Re: what is this?
Index(es):
- Date
- Thread