nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Malicious code just found on web server

From: "Kevin Oberman" <oberman () es net>
Date: Tue, 21 Apr 2009 12:38:26 -0700
Date: Mon, 20 Apr 2009 10:52:57 -0700
From: Paul Ferguson <fergdawgster () gmail com>

On Mon, Apr 20, 2009 at 10:40 AM, Nick Chapman <nicknetworks () gmail com>
wrote:


On Mon, Apr 20, 2009 at 12:47 PM, Neil <kngspook () gmail com> wrote:




But if you figure out how they got write access to a static website, I'd
love to hear it.



Compromised FTP credentials would be my guess.  They can be obtained
by brute force attacks or credential stealing trojans.



Yeah, it could have been any number of ways -- there has also been a huge
increase of SSH brute-force attacks in the past few weeks:

https://isc.sans.org/diary.html?storyid=6214


And, from several reports (including my own), they (brute force ssh
attacks) seem to have stopped at about 22:30 UTC on the 19th. (Not that
this is really relevant to the thread.)
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman () es net                       Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
Previous By Date Next
Previous By Thread Next

Current thread: