[Rack] Fwd: Malware notification regarding noisebridge.net
jof at thejof.com
Wed Dec 7 20:21:43 PST 2011
On Wed, Dec 7, 2011 at 7:12 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> On Wed, Dec 07, 2011 at 05:46:46PM -0800, Jeff Tchang wrote:
> > Definitely would be interested in knowing what you find.
> Lots of 2 and 3 year old PHP scripts in globally accessible URLs.
> Probably one of them had a bug giving code execution or file upload;
> that was used to upload some obfuscated PHP, leveraged to upload
> .htaccess files that 301 and 302 requests over to a .ru spam
> Admin was using strong passwords, did not use unencrypted protocols (ssh
> and HTTPS for all admin access), and is unlikely to have keylogger
> malware on machines used to admin.
> It's possible that dreamhost has a larger compromise, but far more
> likely is that an ancient script gave access.
Part of Dreamhost's value proposition for customers is that they'll extract
a fresh Wordpress tarball and setup Apache for you.
I would hope that with that information that they could automatically
upgrade outdated installs automatically. That said, I can understand how
some would hate such a feature changing files out from underneath them.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Rack