[wp-hackers] Hacked blogs
Peter van der Does
peter at avirtualhome.com
Thu Mar 26 16:43:47 GMT 2009
On Thu, 26 Mar 2009 17:00:53 +0100
Joost de Valk <joost at yoast.com> wrote:
> Exactly, it's a check.
>
> Going through the access logs I can't find anything else yet though,
> what we DO see on one of the hosts is that the "infected" files were
> uploaded through FTP (we can see that in the xfer.log), but if I'm
> not mistaken, that could still be done through XSS right?
>
AFAIK:
In order to upload through FTP you will need a username and password,
unless you can upload to any directory anonymously, which is bad.
FTP usernames and password are normally not held on a web server, again
if you run a script that can do FTP uploads, it's bad.
I believe a local machine, Windows/Mac/Linux, is infected with a virus.
Do the site(s) share the same username/password?
Who has FTP access to the site(s)?
Change the password of the user who uploaded the infected file and try
to find out from which user/IP it came. Anybody who has FTP access has
to thoroughly inspect their machine(s).
--
Peter van der Does
GPG key: E77E8E98
WordPress Plugin Developer
http://blog.avirtualhome.com
GetDeb Package Builder/GetDeb Site Coder
http://www.getdeb.net - Software you want for Ubuntu
More information about the wp-hackers
mailing list