<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Files keep appearing</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1528" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2>Hi</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Have you taken a look from the outside as it were,
at the website that is hosted above the /Resources directory where they keep
appearing?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Are they being uploaded through some insecure
feature the webdevelopers have bolted onto the page, upload your CV / Docs kind
of thing?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>That would look like legit site traffic in your
connection logs. </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Any .pl / ,php / .asp scripts in or
around that directory & do they log the filenames?
</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>It could be that the site itself is insecure
presenting the phisher a way in despite running a fully patched
server.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>The original site could even be a smokescreen in
which to hide the phishing pages... </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Verdana size=2>> — no connections were made on my server
</FONT></DIV>
<DIV><FONT face=Verdana size=2></FONT> </DIV>
<DIV><FONT face=Verdana size=2>Remember if your webserver has been compromised
through a known vuln or 0day the logs could be lying.</FONT></DIV>
<DIV><FONT face=Verdana size=2></FONT> </DIV>
<DIV><FONT face=Verdana size=2>Regards</FONT></DIV>
<DIV><FONT face=Verdana size=2>Colin</FONT></DIV></FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=maillists@thelonecoder.com
href="mailto:maillists@thelonecoder.com">Stephen Johnson</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
title=full-disclosure@lists.grok.org.uk
href="mailto:full-disclosure@lists.grok.org.uk">Untitled</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, June 02, 2006 5:08 AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Full-disclosure] Files keep
appearing</DIV>
<DIV><FONT face=Arial size=2></FONT><BR></DIV><FONT
face="Verdana, Helvetica, Arial"><SPAN style="FONT-SIZE: 12px">I keep having a
phishing website appear on my web server. <BR><BR>They keep showing up
in a Resources folder of one of the sites that I host. I have gone
through the logs and I am not seeing any connections. I deleted the
files this morning and this evening they re-appeared — no connections were
made on my server during that period of time. <BR><BR>Also, there are no cron
jobs that I noticed that looked out of the ordinary. <BR><BR>I am running
MySQL, PHP, Apache2 on a debian linux server. <BR><BR>Any thoughts? <BR><BR>--
<BR>Stephen Johnson</SPAN></FONT></BLOCKQUOTE></BODY></HTML>