[Lilug Planning] [matnew 83875513] DreamHost Security Alert - Site Compromised (fwd)

Matt Surico surico at mail.buoy.com
Thu Dec 26 03:27:29 PST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 12/26/2013 01:28 AM, odinson wrote:
> Hi
> 
> This is a stupid question, but who's our webmaster at the moment? 
> Looks like lilug.org got popped again.

Hi Matt - it's me.

I will follow up on this.

Thanks and regards,
Matt S.


> 
> Matt 
> -------------------------------------------------------------------------------
>
>  Matthew Newhall, M.A.Newhall at warcloud.net A.S. in Computer
> Science, SUNY Farmingdale President of LILUG;  president at lilug.org,
> http://www.lilug.org My blog "The Civilization Gene"
> http://civgene.matthewnewhall.com Author; "Thicker Than Blood"
> http://www.thickerthanbloodthebook.com Giselle's husband, Sebastian
> and Maxximus's father. http://www.warcloud.net/~odinson/us/ "When a
> well-packaged web of lies has been sold gradually to the masses 
> over the generations, the truth will seem utterly
> preposterous...and its speaker a raving lunatic." -- Dresden James,
> author 
> -------------------------------------------------------------------------------
>
> 
> 
> ---------- Forwarded message ---------- Date: Wed, 25 Dec 2013
> 13:39:41 -0800 (PST) From: DreamHost Security Bot
> <secalerts at dreamhost.com> To: odinson at warcloud.net Subject: [matnew
> 83875513] DreamHost Security Alert - Site Compromised
> 
> 
> Hello,
> 
> During a recent security scan we have identified that one or more
> of your hosted sites show signs of being compromised as they are
> hosting known, malicious web-based backdoors.  Specifically, the
> following file(s) have been accessed by intruders and have been
> associated with unsolicited bulk email, denial of service or other
> abusive activity:
> 
> We have identified the following known backdoors under your
> account: /home/lilug/dev.lilug.org/w-v1.12/config/wp-ecyv.php 
> /home/lilug/dev.lilug.org/w/images/.inc.php 
> /home/lilug/dev.lilug.org/w.20130519.backup/images/.inc.php 
> /home/lilug/www.lilug.org/w-v1.12/images/.inc.php 
> /home/lilug/www.lilug.org/w/images/help.php 
> /home/lilug/www.lilug.org/w/images/wptheme.php 
> /home/lilug/www.lilug.org/w-20130627.backup/images/.inc.php
> 
> 
> We have disabled the page(s) in question (via adjusting permissions
> on the files, e.g. chmod, or backing up the file first renaming it
> to "filename.INFECTED" and cleaning up the injected code) until you
> are able to address this matter.
> 
> The existence of these pages on your website(s) is likely a sign
> you have been compromised. We completely empathize with your
> problem -- having a site hacked can be a frustrating and stressful
> experience but we hope that this notification helps prevent this
> matter from being a serious one. We're here to help but we need
> your assistance first as there are some actions we're not able to
> take on your behalf as they involve changes to software versions
> and files under your account. To that end, we highly recommend that
> you take the following steps:
> 
> - Update any 3rd party software under the account, including
> content management systems, gallery software, weblogging tools,
> etc. Be sure to use current, secure versions and keep them
> up-to-date. - Update any plugins and/or themes on your sites
> (Recent attacks against websites have targeted vulnerable software
> such as timthumb.php which is included in some wordpress themes,
> separate from the core files) - Check your website(s) files for any
> signs of tampering (file timestamps show recent editing) or files
> you did not upload yourself and remove them. Looking at the
> reported files above should give you a good starting point. - Check
> your website(s) files for any 777 directories, (e.g. a directory 
> that allows anyone on the server to write or edit the files in the 
> directory; these permissions will look like rwxrwxrwx via the
> command line) - Change your FTP password(s). Be sure they are at
> least 8 characters in length and do not contain English words.
> Random numbers and letters work best. - Consider enabling the
> StopTheHacker service in your panel. Specficially consider signing
> up for StopTheHacker's Comprehensive Malware Scanning. More info:
> http://wiki.dreamhost.com/StopTheHacker
> 
> If you have any questions, please feel free to reply to this email
> and we will be more than happy to assist you with securing your
> sites.
> 
> Sincerely, The DreamHost Security team
> 
> 
> ----------------------------------------
> 
> To unsubscribe from all automatic notifications, please visit this
> link in your web browser: 
> https://panel.dreamhost.com/unsubscribe.cgi?email=odinson%40warcloud%2Enet&token=hZaH0B1nnCoYoNl3BS-r
>
>  _______________________________________________ Planning mailing
> list Planning at lists.lilug.org 
> http://lists.lilug.org/listinfo.cgi/planning-lilug.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iF4EAREIAAYFAlK8EpQACgkQQOgC01ICatACgwEAtG0qfErlU+8NH7YfWDrAKHCD
0p9tAlSL/P/fxfCRrNUA/1r7aZz2JpVxzIUxQ9OvJgWOS1+c8yilXGd2ey9xoEoi
=TC4W
-----END PGP SIGNATURE-----

More information about the Planning mailing list