[Rack] Fwd: Malware notification regarding noisebridge.net

Jonathan Lassoff jof at thejof.com
Wed Dec 7 20:21:43 PST 2011


On Wed, Dec 7, 2011 at 7:12 PM, Andy Isaacson <adi at hexapodia.org> wrote:

> On Wed, Dec 07, 2011 at 05:46:46PM -0800, Jeff Tchang wrote:
> > Definitely would be interested in knowing what you find.
>
> Lots of 2 and 3 year old PHP scripts in globally accessible URLs.
> Probably one of them had a bug giving code execution or file upload;
> that was used to upload some obfuscated PHP, leveraged to upload
> .htaccess files that 301 and 302 requests over to a .ru spam
> site.
>
> Admin was using strong passwords, did not use unencrypted protocols (ssh
> and HTTPS for all admin access), and is unlikely to have keylogger
> malware on machines used to admin.
>
> It's possible that dreamhost has a larger compromise, but far more
> likely is that an ancient script gave access.
>

Part of Dreamhost's value proposition for customers is that they'll extract
a fresh Wordpress tarball and setup Apache for you.

I would hope that with that information that they could automatically
upgrade outdated installs automatically. That said, I can understand how
some would hate such a feature changing files out from underneath them.

--j

>
> -andy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.noisebridge.net/pipermail/rack/attachments/20111207/d35bbdaf/attachment.htm 


More information about the Rack mailing list