[Rack] Fwd: Malware notification regarding noisebridge.net
Andy Isaacson
adi at hexapodia.org
Thu Dec 8 03:12:07 UTC 2011
On Wed, Dec 07, 2011 at 05:46:46PM -0800, Jeff Tchang wrote:
> Definitely would be interested in knowing what you find.
Lots of 2 and 3 year old PHP scripts in globally accessible URLs.
Probably one of them had a bug giving code execution or file upload;
that was used to upload some obfuscated PHP, leveraged to upload
.htaccess files that 301 and 302 requests over to a .ru spam
site.
Admin was using strong passwords, did not use unencrypted protocols (ssh
and HTTPS for all admin access), and is unlikely to have keylogger
malware on machines used to admin.
It's possible that dreamhost has a larger compromise, but far more
likely is that an ancient script gave access.
-andy
More information about the Rack
mailing list