hmm.thanks everyone for the suggestions. On Jan 14, 2008 5:22 PM, Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx> wrote: > 3APA3A wrote: > > > Dear crazy frog crazy frog, > > > > Clear your computer from trojan, change FTP password for you site > > hosting access, because it's stolen, access your hosting account via > > FTP and remove additional text (usually at the end of the file, after > > </html>) from all HTML/PHP pages. > > Ummmm -- the only part of that likely to be relevant here is the last. > > These kinds of web page "compromises" are typically achieved through > bad/ill-configured/non-updated server-side web applications (or their > underlying script engines) and are typically achieved without requiring > any more special or privileged access to the victim sites than the > ability to run a clever Google search or your own brute-force spidering > via a bot-net, etc. > > Of course, simply removing the undesired iframe/script/etc tags from > your compromised pages is not enough. Although doing so does not mean > that this attacker will come back, it equally does nothing to close the > hole they used in the first place, and the next attacker searching for > that hole will hit you just as easily and indiscriminately... > > > Regards, > > Nick FitzGerald > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- advertise on secgeeks? http://secgeeks.com/Advertising_on_Secgeeks.com http://newskicks.com
