Re: Spoofed URI's or fake websites ?
Quoting Samuel Krieg <[EMAIL PROTECTED]>: > I wrote this because of Jeff's phrase. > > > If they are windows do an fdisk, format, etc. > > I think it's important to work on the OS that you know how to configure, > secure and manage. Whatever system it is. I did not want to praise any > system. > > I remain paranoid and monitor system logs, smtp queries and network > activities as good as I can. Windows machines are notoriously difficult to fully clean. That's why many people end up reformatting the hard disk on them. As Matt pointed out, at least two of the compromised machines are Linux, so it's certainly good to have strict security policies, keep programs fully patched, etc., regardless of what OS one runs. Jeff C.
Re: Spoofed URI's or fake websites ?
I wrote this because of Jeff's phrase. If they are windows do an fdisk, format, etc. I think it's important to work on the OS that you know how to configure, secure and manage. Whatever system it is. I did not want to praise any system. I remain paranoid and monitor system logs, smtp queries and network activities as good as I can. Regards. -- Sam
Re: Spoofed URI's or fake websites ?
Samuel Krieg wrote: > Jeff Chan a écrit : >> >> >> The web sites are apparently cracked. The servers need to be cleaned >> and >> secured. If they are windows do an fdisk, format, etc. >> >> Jeff C. >> > > Hi, > > Thanks for your answer. You confirm my thoughts. > > By the way I contacted ThePlanet sometimes ago for such websites. The > redirection has been cleaned up and the websites are still online. > > PS: I'm not talking about my servers. They are healthy and running > Linux :-) Both of the cracked servers you mentioned are Apache/Unix based.. tvoftheabsurd: Apache/1.3.36 (Unix) PHP/4.4.2 mod_ssl/2.8.27 OpenSSL/0.9.7e apnalounge: Apache/1.3.34 (Unix) mod_ssl/2.8.25 OpenSSL/0.9.7e PHP/4.4.2 FrontPage/5.0.2.2510 It doesn't matter what platform you run on, if you run exploitable code on your server, it is exploitable. tvoftheabsurd is running an exploitable version of wordpress (2.2), and apnalounge is probably running some other exploitable PHP code.
Re: Spoofed URI's or fake websites ?
Samuel Krieg wrote: > Hi > > I'm receiving some spam with links like > http://www.somewebsite.tld/image.htm ( filename may differ like > join.htm or shop.htm ). The uri redirects to another viagra website. > > But the somewebsite.tld looks like a normal site (I'm pretty sure it is). > > Some examples : > http://www.apnalounge.com/shop.htm > > http://www.tvoftheabsurd.com/join.htm > > I need to understand how it works.. Is the hosting server beeing > abused ? Any ideas/solutions ? Odds are good they are being abused. Looking at tvoftheabsurd's main page they've got a PHP wordpress 2.2 login page. Wordpress has been known to have exploits in the past. Ahh, yes. here's one for WP 2.2: http://www.securityfocus.com/bid/24344 Oh, and another that allows arbitrary file upload: http://www.securityfocus.com/bid/24642 That latter one is probably how the redirect page got uploaded. apnalounge.com also makes extensive use of PHP and seems to have a lot of "cobbled together" code. Nothing jumps out at me, but I'd again not be surprised to find out some part is exploitable. > > Thank you. >
Re: Spoofed URI's or fake websites ?
On Thursday 05 July 2007 06:47, Samuel Krieg wrote: > Thanks for your answer. You confirm my thoughts. > > By the way I contacted ThePlanet sometimes ago for such websites. The > redirection has been cleaned up and the websites are still online. > > PS: I'm not talking about my servers. They are healthy and running Linux > :-) Don't think that this can't happen to a Linux based server. I've had both Coppermine and Geeklog compromised in the last month with phish sites. Fortunately, it was simple to see and secure the path on the Coppermine, which was letting new users have picture posting rights, but I never did figure out how they got in on Geeklog, so it's now banned from my server. -- Phil Barnett AI4OF SKCC #600
Re: Spoofed URI's or fake websites ?
Jeff Chan a écrit : Quoting Samuel Krieg <[EMAIL PROTECTED]>: Hi I'm receiving some spam with links like http://www.somewebsite.tld/image.htm ( filename may differ like join.htm or shop.htm ). The uri redirects to another viagra website. But the somewebsite.tld looks like a normal site (I'm pretty sure it is). Some examples : http://www.apnalounge.com/shop.htm http://www.tvoftheabsurd.com/join.htm I need to understand how it works.. Is the hosting server beeing abused ? Any ideas/solutions ? The web sites are apparently cracked. The servers need to be cleaned and secured. If they are windows do an fdisk, format, etc. Jeff C. Hi, Thanks for your answer. You confirm my thoughts. By the way I contacted ThePlanet sometimes ago for such websites. The redirection has been cleaned up and the websites are still online. PS: I'm not talking about my servers. They are healthy and running Linux :-) -- Samuel Krieg
Re: Spoofed URI's or fake websites ?
Quoting Samuel Krieg <[EMAIL PROTECTED]>: > Hi > > I'm receiving some spam with links like > http://www.somewebsite.tld/image.htm ( filename may differ like > join.htm or shop.htm ). The uri redirects to another viagra website. > > But the somewebsite.tld looks like a normal site (I'm pretty sure it is). > > Some examples : > http://www.apnalounge.com/shop.htm > > http://www.tvoftheabsurd.com/join.htm > > I need to understand how it works.. Is the hosting server beeing abused ? Any > ideas/solutions ? The web sites are apparently cracked. The servers need to be cleaned and secured. If they are windows do an fdisk, format, etc. Jeff C.
Spoofed URI's or fake websites ?
Hi I'm receiving some spam with links like http://www.somewebsite.tld/image.htm ( filename may differ like join.htm or shop.htm ). The uri redirects to another viagra website. But the somewebsite.tld looks like a normal site (I'm pretty sure it is). Some examples : http://www.apnalounge.com/shop.htm http://www.tvoftheabsurd.com/join.htm I need to understand how it works.. Is the hosting server beeing abused ? Any ideas/solutions ? Thank you. -- Samuel Krieg