Browsing all articles from April, 2009

Flattr this!

One of our clients was sending out spam unknowingly yesterday. I spent most of my afternoon cleaning it up, tracking down how the attackers were doing it.

In this clients case, they have their own server (which we maintain), and they mostly write their own code.
Most of the common garden variety vulnerability scans don’t work on their server, because they write their own code, although in this case it didn’t save them from being exploited.

In order to find out what was causing the spamming, I had to find out how the attackers got in.
Usually this means a check of the apache logs to check for anything untoward.

In this case, although the logs had plenty of vulnerability scans (which were to files that don’t exist on their server), I couldn’t see anything in the logs that immediately stuck out as being the cause.
Read more »

Flattr this!

Foreword – Note that none of our servers are vulnerable to remote inclusion attacks.

For the most part, most of the exploits I covered in yesterdays post are common garden php vulnerability scans.
Some of them are more interesting though, although more for being encrypted, than anything else.

If I take an example from our log files:
Read more »

Flattr this!

I’ve noticed a lot more hacker attacks in the logs for the servers we maintain recently.
This is probably due to more people using Botnets for attack scan’s.

What are the hackers looking for, and how can we prevent them getting in?

In most cases, the hackers are looking for vulnerabilities in common applications.  The most notorious of these would be things like PHPBB, WordPress, and other similar apps.  The most common attacks we are noticing these days are ones that leverage remote inclusion of files.
Read more »