Re: Phishing question

Most virtual host setups provide well-known “convenience” goodies ... Plesk and so-on ... which are intended for use by the site administrators, but which are therefore well-known to others. Is there a non-secure, ftp, service process running? Is it possible, literally, to log-in using sh?

Certainly begin by making the entire directory-structure read-only. A web server never has any plausible reason whatever to be able to write to whatever it is reading.

The first thing that I do with any virtual server is to wipe the sucker completely clean and to install a bare-bones OS onto it, completely eliminating things like Plesk which I don’t need anyway. Every time that I failed to do this is a time that I came to regret.

Replies are listed 'Best First'.
Re^2: Phishing question by Anonymous Monk on Aug 26, 2011 at 03:52 UTC
I appreciate everyone's help. I was considering making the whole directory structure read-only. I will readup up in the material suggested.	[reply]
Re^3: Phishing question by Anonymous Monk on Aug 26, 2011 at 17:40 UTC
I have no doubt that the source of that file came from "out-of-band." Maybe even an anonymous shell access. The user came in as "nobody" but still was able to get to that file location and to put something there ... and that also means, perhaps to replace something else there. If file and directory permissions would have prevented access from "nobody," then immediately you know that someone was covering their tracks.	[reply]
Re^4: Phishing question by MidLifeXis (Monsignor) on Aug 26, 2011 at 18:13 UTC
With what do you support that conclusion? To write a file as nobody:nobody to an open directory on a file system with a web server on it only requires a single insecurity in a web script (.cgi - whatever that means, .php, or anything else that responds to remote input). To assume that this came from an oob source requires a slightly higher level of sophistication. I am not saying it could not be from an oob source, just that the liklihood of it coming from an insecurity script is much better than an oob source. Until more information is available, however, this is all just supposition. --MidLifeXis	[reply]