Re: [Declude.Virus] the ebay spoof spam stuff
thanks, I sent a message to the isc.sans.org via their webpage. The only accounts on the machine are local accounts however, some of those accounts (IIS accounts) had administrator access group assignment. this is a server built by a vendor years ago so I'm not sure I can rebuild it here. What I'll do is talk with them concerning the accounts and required groups and password changes and see if we can do it that way... if not they'll have to rebuild it. thanks Andrew and Matt for replying, bob On Wednesday, June 14, 2006 1:02 PM, Colbeck, Andrew <[EMAIL PROTECTED]> wrote: >Bob, drop an email to the handler on duty at http://isc.sans.org/ for >some general advice. They may also have some specific reference to >point you to regarding a vulnerability or they may recognize the modus >operandi of what you saw. I don't recognize it, myself. > >Generally speaking, your best bet is to take that machine offline and >rebuild it from known good sources. > >Andrew 8) > > >> -Original Message- >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On >> Behalf Of Bob McGregor >> Sent: Wednesday, June 14, 2006 11:37 AM >> To: Declude-List >> Subject: [Declude.Virus] the ebay spoof spam stuff >> >> this is a bit off-topic but >> >> we had one of our servers last night have the ebay spoof page >> loaded on it. Anyone have info as to how this gets loaded >> and, more imporantly how to keep it from happening? >> >> The only things I found was the htm page that was referenced >> in the spam e-mail and a folder on the desktop named sign >> in_files with the images associated with the page. >> >> I want to keep it from happening again. >> >> thanks, bob >> >> >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus".The archives can be found >> at http://www.mail-archive.com. >> >> > > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus".The archives can be found >at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] the ebay spoof spam stuff
Bob, drop an email to the handler on duty at http://isc.sans.org/ for some general advice. They may also have some specific reference to point you to regarding a vulnerability or they may recognize the modus operandi of what you saw. I don't recognize it, myself. Generally speaking, your best bet is to take that machine offline and rebuild it from known good sources. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Bob McGregor > Sent: Wednesday, June 14, 2006 11:37 AM > To: Declude-List > Subject: [Declude.Virus] the ebay spoof spam stuff > > this is a bit off-topic but > > we had one of our servers last night have the ebay spoof page > loaded on it. Anyone have info as to how this gets loaded > and, more imporantly how to keep it from happening? > > The only things I found was the htm page that was referenced > in the spam e-mail and a folder on the desktop named sign > in_files with the images associated with the page. > > I want to keep it from happening again. > > thanks, bob > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus".The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] the ebay spoof spam stuff
Bob, If they had a folder on a desktop, you have to assume that your server was hacked, rooted, and your account was exploited. The safest thing to do would be to change all of your administrative passwords everywhere on your network, and rebuild that server from a formatted disk. You could of course try to save the installation, but I have seen many such servers re-hacked and that suggests that being rooted is more common than not. Firewalling everything that isn't absolutely necessary is also very wise, and may have prevented this in the first place. They probably made their way in through some OS, service or scripting hack. Common targets of phishers is often any tool that allows uploads of one form or another such as content management systems/wiki's or discussion boards. For instance, PHP-Nuke is a favorite, and anything that comes with a control panel hosting environment. Lots of luck, Matt Bob McGregor wrote: this is a bit off-topic but we had one of our servers last night have the ebay spoof page loaded on it. Anyone have info as to how this gets loaded and, more imporantly how to keep it from happening? The only things I found was the htm page that was referenced in the spam e-mail and a folder on the desktop named sign in_files with the images associated with the page. I want to keep it from happening again. thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] the ebay spoof spam stuff
this is a bit off-topic but we had one of our servers last night have the ebay spoof page loaded on it. Anyone have info as to how this gets loaded and, more imporantly how to keep it from happening? The only things I found was the htm page that was referenced in the spam e-mail and a folder on the desktop named sign in_files with the images associated with the page. I want to keep it from happening again. thanks, bob --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.