Web Hosting Forum | Lunarpages


*
Welcome, Guest. Please login or register.
Did you miss your activation email?



Login with username, password and session length
November 24, 2014, 08:16:20 AM

Pages: [1]   Go Down
  Print  
Author Topic: identifying scripts gone bad... any usual suspects?  (Read 5411 times)
fstjohn
Intergalactic Superstar
*****
Offline Offline

Posts: 180



WWW
« on: January 09, 2008, 09:36:08 AM »

over the past few weeks, (since Christmas morning actually) my site has been repeatedly molested and I'm trying to find the source. The changes appear to be minor mischief, nothing a reupload of the affected files wont fix

I changed my password numerous times thinnking someone was ftping the vandalized pages up - but was told by LP support that the odds are that there's a script on my server that was probably comprimised and is rewriting the pages on the server end. So, while I'm hacking away at existing scripts I use on the site - figured somebody may be able to save me some time.

Is there anyone who this has happened to that may be able to shed some light on this? Or perhaps someone knowledgeable in this arena to look at my site and say "Oooooh, if'n I wanted to - I could put a hurtin on you THIS way..."

thanks
Logged

perestrelka
Administrator
Master Jedi
*****
Offline Offline

Posts: 1397



« Reply #1 on: January 11, 2008, 09:02:12 PM »

Hi Fstjohn,

What I would recommend in such situations is checking the modification date on the vandalized pages and then reviewing the web access and FTP logs for the time period when the changes was being done. This should help you to find out the name of the vulnerable script and possible the way how the pages are being modified.
Logged

Kind Regards,
Vlad Artamonov
fstjohn
Intergalactic Superstar
*****
Offline Offline

Posts: 180



WWW
« Reply #2 on: January 25, 2008, 01:57:24 PM »

thanks - finally figured it out.

seems I tried to be tricky a while back and pump in info from another site. Decided against doing it, but instead of deleting the code - I commented it out for use at a later time. Well, it seemed the site I was pulling from changed their code, which affected my site (and didn't leave any ftp log footprints either!)
Logged

perestrelka
Administrator
Master Jedi
*****
Offline Offline

Posts: 1397



« Reply #3 on: January 25, 2008, 09:30:44 PM »

thanks - finally figured it out.

seems I tried to be tricky a while back and pump in info from another site. Decided against doing it, but instead of deleting the code - I commented it out for use at a later time. Well, it seemed the site I was pulling from changed their code, which affected my site (and didn't leave any ftp log footprints either!)

Well, looks like you didn't use FTP to pump the info into your site, that is why FTP logs didn't mention it. Anyway, it is good to know that you found the cause and it was not related to unauthorized access to your data.
Logged

Kind Regards,
Vlad Artamonov
Pages: [1]   Go Up
  Print  
 
Jump to: