rude awakening: spykids Ownz you

[richardevanslee]

That was the message that greeted me when I went to look at one of my sites. And it appeared on all the sites on that server. Trying to visit Cpanel I got “connection refused.”

I was able to load Movable Type, everything was there as it should be (and backed up). FTP’d in just fine.

Only the index pages were mucked with.

The couple of cgi scripts that I run don’t have any vulnerabilities that I’ve heard of. I don’t share passwords and the like.

Words of wisdom for someone completely inexperienced with this sort of thing?

[luchtwafel]

i woke up this morning with the following text on my site.

it was found in all 'index.*' files on my site, so even in subsites that i had made for friends using 'gallery' as well as my own site which is using Mambo.....

i found this online:
http://forum.mamboserver.com/showthread.php?t=26025

what can be done by JaguarPC?

i need to update my mambo version, but am not at home at the moment, and cannot even login to my site via the admin.

has anyone else suffered from this childish behaviour?

[Vin DSL]

Woo Hoo! That Stefany is hot! I like red-heads...

Anyway, if it was me, I guess I would contact Tech Support and tell them to take your site down until you've had a chance to check it out. Those turds might have stuck a root kit in there or something. That way you're covered, and 'they' are aware of the situation.

[Vin DSL]

Damn, dude! Did you actually shoot all those girls yourself?

[Vin DSL]

Hrm... Natascha's gallery is still working...

Must be a Mambo exploit.

[Vin DSL]

I don't know if you saw this, but 'Viceroy' had some 'emergency' maintenance done to it tonight. I wonder if that had anything to do with it...

[luchtwafel]

vin, how can you see the photo's? i did not even mention a link, only to the mambo site. but anyway, yes i did photograph all the models.

it must be down again, because none of the sites, even natascha's is working.... what now?

[Vin DSL]

I would contact Tech Support here at JaguarPC and have them help you.

And, Natascha's gallery is still working for me. I'll PM you the URL.

[luchtwafel]

contacted support, are working on it.

hmm maybe time to change from Mambo..... any suggestions?

[Vin DSL]

Well, any/all software has security issues. What you have to do is figure out how they cracked your site. The best way to do that is to download your raw log files in cPanel and go over them with a fine toothed comb, so to speak. This usually takes hours and hours, but if you look at your logs long enough, you should be able to figure out what they did. Then, it's just a matter of patching your software.

At a bare minimum, I would update your software to the latest version and keep up with the upgrades as soon as they come out.

[Gwaihir]

I guess work on it has started, Matthew? All I get currently is a "temporarily offline, due to emergency mainenance."

[luchtwafel]

yeah, have spoken to jaguar and they are working on it, i just got rid of the index.php file that was infected in the root...... looks better than the crack credo

[Daiver]

Link to gallery?

[richardevanslee]

has anyone else suffered from this childish behaviour?

Me. Same server. I don't run Mambo. Very little php, mostly perl scripts.

This almost makes me feel good (but not really). I try to be as paranoid, unadventurous as possible so I was pretty baffled what backdoor I could've left open.

Still can't access my Cpanel after about twelve hours but I trust JaguarPC's tech support folks to get it right so I have no complaint.

For once I see an advantage to having my fifteen sites on three different servers.

[mattsiegman]

http://jaguarpc.com/forums/showthrea...6240#post86240