If you posted a link to anything on your web space in an HTML web page as FTP-able, I'm pretty sure the user name and password will show up in the connection string. (I don't know if that's true of secure HTML but then again I don't run an FTP site).
Mark Cassino wrote: > I noticed in the occupations thread that a few folks on this list a > computer security professionals. I just had a disturbing experience - I > logged into my web page to find a directory full of crap that I didn't > put there. (Not to put on airs, but my crap is a a notch above > "free-ringtones".) Pouring over the directories I found a couple of > other links to pharm and mortgage sites. > > Thankfully I'm on the site via FTP almost every day - and sort > directories by date last modified. That is inteded to get me to the > active directories that I'm working out of, so when an old directory > showed up at the top of the list it made me wonder. > > My ISP says that the intruder probably guessed my password. No mention > of the user name (which is a unique combination of letters.) They said > that the fact that the password was all lower case made is susceptible > to being 'guessed') The password was basically just 8 random letters, no > numbers or other characters, all lower case, but still just random. Like > gossbrom or heplchat. > > So now I have a password that 1RuM-Pl**StilK()()(SkiNnnN! would be proud > of. (Don't try it - not even close - waaaaay too simple.) > > So - is that explanation plausible? I find it hard to believe that > someone could guess that well and wonder if there was some other breach. > > - MCC > > -- -- The more I know of men, the more I like my dog. -- Anne Louise Germaine de Stael -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net