Author: jwernerny » Sun Aug 27, 2006 2:25 pm
I'm pretty sure these hacks are actually cross contaminations from a master server. The quick and simple way to prevent them may be to obfuscate (hide) the forum source directories and use .htaccess to make it look like things are in the expect location.
I'll explain. Let's say I am a hacker and I have compromised a website with the c99 shell script. If I know that IM1.4.0 is normally installed in "forum" and has open directories of "files," etc., and I am on a host that seems to assign user names in a regular fassion, then I can quickly infect other sights by trying to blindly write into the directories.
For instance, let's say on host "ABC_XYZZY_Hosting.com", I know have found that user are given id's in the form of "user0001", "user0002", "user0003", etc., then I can start randomly trying to write to /home/user0001/forum/files, then /home/user0002/forum/files, etc.
BTW, I got hacked this morning. I found 2 copies of c99 shell, one in files and the other someplace else. I am on WB-Hosting. If you use WB-Hosting, I strongly suggest you check things out and take some steps to make sure the well known directories are not accessible.
- John
Last edited by
jwernerny on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.