Posted by: ieatacid
Posted on: 2006-06-08 14:11:00
I noticed this new html page when I was on my FTP tonight.
www.ieatacid.com/cwings.html
Apparently this guy has been hitting a lot of places. A google search turns up quite a few results. Nothing was deleted. He just put that one page there.
Is this a Dreamhost vulnerability? Has anyone else seen this file appear on their web space somewhere?
Posted by: Jeff @ DreamHost
Posted on: 2006-06-08 14:49:00
> Is this a Dreamhost vulnerability? Has anyone else seen this
> file appear on their web space somewhere?
Please contact DreamHost support about this issue for specifics.
However, as a general rule the number of exploits we've seen related to vulnerabilities on our end has been very small (none that I remember within the last couple of years, though it'd be hubris to say that we're un-crackable).
Generally when this sort of thing occurs, it can be traced back to an old, insecure script hosted under the user's hosting account. Such exploits are often used to either deface a user's web space or to upload other scripts, which are in turn used to deface a user's web space, send out spam/phishing emails, set up Bot Nets, etc.
Suffice to say, 99% of the exploits we see regularly could be prevented if 3rd party scripts were kept up to date.
You should immediately upgrade any 3rd party scripts hosted under your account to the latest versions. If it appears the script has been abandoned, consider switching to something else. Look for any hidden files or directories in your account's directory structure, as it's possible that the intruder "left something" they can use to gain access in the future.
You should also change all of your passwords, just in case someone gained access to them (ie. by packet sniffing). It wouldn't hurt to check your home computer for intrusions, spy ware, keyloggers, and to install any outstanding patches/security updates as well.
- Jeff @ DreamHost
- DH Discussion Forum Admin
Posted by: Raz2133
Posted on: 2006-06-08 22:13:00
In reply to:Has anyone else seen this file appear on their web space somewhere?
No, I just rechecked my sites and nothing is there that wasn't explicitly put there by me :)
As Jeff said, this type of thing can invariably be traced back to some kind of vulnerability in a script you are running.
Mark