Re^3: Phishing question

I have no doubt that the source of that file came from "out-of-band." Maybe even an anonymous shell access. The user came in as "nobody" but still was able to get to that file location and to put something there ... and that also means, perhaps to replace something else there. If file and directory permissions would have prevented access from "nobody," then immediately you know that someone was covering their tracks.

Comment on Re^3: Phishing question

Replies are listed 'Best First'.
Re^4: Phishing question by MidLifeXis (Monsignor) on Aug 26, 2011 at 18:13 UTC
With what do you support that conclusion? To write a file as nobody:nobody to an open directory on a file system with a web server on it only requires a single insecurity in a web script (.cgi - whatever that means, .php, or anything else that responds to remote input). To assume that this came from an oob source requires a slightly higher level of sophistication. I am not saying it could not be from an oob source, just that the liklihood of it coming from an insecurity script is much better than an oob source. Until more information is available, however, this is all just supposition. --MidLifeXis	[reply]

Replies are listed 'Best First'.

Re^4: Phishing question
by MidLifeXis (Monsignor) on Aug 26, 2011 at 18:13 UTC

With what do you support that conclusion?

To write a file as nobody:nobody to an open directory on a file system with a web server on it only requires a single insecurity in a web script (.cgi - whatever that means, .php, or anything else that responds to remote input). To assume that this came from an oob source requires a slightly higher level of sophistication.

I am not saying it could not be from an oob source, just that the liklihood of it coming from an insecurity script is much better than an oob source.

Until more information is available, however, this is all just supposition.

--MidLifeXis

[reply]