[Lilug Planning] [matnew 83875513] DreamHost Security Alert - Site Compromised (fwd)

Wed Dec 25 22:28:46 PST 2013

Hi

 	This is a stupid question, but who's our webmaster at the moment? 
Looks like lilug.org got popped again.

Matt
-------------------------------------------------------------------------------
Matthew Newhall, M.A.Newhall at warcloud.net
A.S. in Computer Science, SUNY Farmingdale
President of LILUG;  president at lilug.org, http://www.lilug.org
My blog "The Civilization Gene" http://civgene.matthewnewhall.com
Author; "Thicker Than Blood" http://www.thickerthanbloodthebook.com
Giselle's husband, Sebastian and Maxximus's father.
http://www.warcloud.net/~odinson/us/
"When a well-packaged web of lies has been sold gradually to the masses over the
generations, the truth will seem utterly preposterous...and its speaker a raving
lunatic."
 	-- Dresden James, author
-------------------------------------------------------------------------------

---------- Forwarded message ----------
Date: Wed, 25 Dec 2013 13:39:41 -0800 (PST)
From: DreamHost Security Bot <secalerts at dreamhost.com>
To: odinson at warcloud.net
Subject: [matnew 83875513] DreamHost Security Alert - Site Compromised

Hello,

During a recent security scan we have identified that one or more of your hosted sites show signs of being compromised as they are hosting known, malicious web-based backdoors.  Specifically, the following file(s) have been accessed by intruders and have been associated with unsolicited bulk email, denial of service or other abusive activity:

We have identified the following known backdoors under your account:
/home/lilug/dev.lilug.org/w-v1.12/config/wp-ecyv.php
/home/lilug/dev.lilug.org/w/images/.inc.php
/home/lilug/dev.lilug.org/w.20130519.backup/images/.inc.php
/home/lilug/www.lilug.org/w-v1.12/images/.inc.php
/home/lilug/www.lilug.org/w/images/help.php
/home/lilug/www.lilug.org/w/images/wptheme.php
/home/lilug/www.lilug.org/w-20130627.backup/images/.inc.php

We have disabled the page(s) in question (via adjusting permissions on the files, e.g. chmod, or backing up the file first renaming it to "filename.INFECTED" and cleaning up the injected code) until you are able to address this matter.

The existence of these pages on your website(s) is likely a sign you have been compromised. We completely empathize with your problem -- having a site hacked can be a frustrating and stressful experience but we hope that this notification helps prevent this matter from being a serious one. We're here to help but we need your assistance first as there are some actions we're not able to take on your behalf as they involve changes to software versions and files under your account. To that end, we highly recommend that you take the following steps:

- Update any 3rd party software under the account, including content management systems, gallery software, weblogging tools, etc. Be sure to use current, secure versions and keep them up-to-date.
- Update any plugins and/or themes on your sites (Recent attacks against websites have targeted vulnerable software such as timthumb.php which is included in some wordpress themes, separate from the core files)
- Check your website(s) files for any signs of tampering (file timestamps show recent editing) or files you did not upload yourself and remove them. Looking at the reported files above should give you a good starting point.
- Check your website(s) files for any 777 directories, (e.g. a directory that allows anyone on the server to write or edit the files in the directory; these permissions will look like rwxrwxrwx via the command line)
- Change your FTP password(s). Be sure they are at least 8 characters in length and do not contain English words. Random numbers and letters work best.
- Consider enabling the StopTheHacker service in your panel. Specficially consider signing up for StopTheHacker's Comprehensive Malware Scanning. More info: http://wiki.dreamhost.com/StopTheHacker

If you have any questions, please feel free to reply to this email and we will be more than happy to assist you with securing your sites.

Sincerely,
The DreamHost Security team

----------------------------------------

To unsubscribe from all automatic notifications, please visit this link in your web browser: https://panel.dreamhost.com/unsubscribe.cgi?email=odinson%40warcloud%2Enet&token=hZaH0B1nnCoYoNl3BS-r