[Lilug Planning] [matnew 83875513] DreamHost Security Alert - Site Compromised (fwd)

Thu Dec 26 08:42:17 PST 2013

Hi Matt

 	Thanks!  Let me know if I can help.

Matt

On Thu, 26 Dec 2013, Matt Surico wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 12/26/2013 01:28 AM, odinson wrote:
>> Hi
>>
>> This is a stupid question, but who's our webmaster at the moment?
>> Looks like lilug.org got popped again.
>
> Hi Matt - it's me.
>
> I will follow up on this.
>
> Thanks and regards,
> Matt S.
>
>
>>
>> Matt
>> -------------------------------------------------------------------------------
>>
>>  Matthew Newhall, M.A.Newhall at warcloud.net A.S. in Computer
>> Science, SUNY Farmingdale President of LILUG;  president at lilug.org,
>> http://www.lilug.org My blog "The Civilization Gene"
>> http://civgene.matthewnewhall.com Author; "Thicker Than Blood"
>> http://www.thickerthanbloodthebook.com Giselle's husband, Sebastian
>> and Maxximus's father. http://www.warcloud.net/~odinson/us/ "When a
>> well-packaged web of lies has been sold gradually to the masses
>> over the generations, the truth will seem utterly
>> preposterous...and its speaker a raving lunatic." -- Dresden James,
>> author
>> -------------------------------------------------------------------------------
>>
>>
>>
>> ---------- Forwarded message ---------- Date: Wed, 25 Dec 2013
>> 13:39:41 -0800 (PST) From: DreamHost Security Bot
>> <secalerts at dreamhost.com> To: odinson at warcloud.net Subject: [matnew
>> 83875513] DreamHost Security Alert - Site Compromised
>>
>>
>> Hello,
>>
>> During a recent security scan we have identified that one or more
>> of your hosted sites show signs of being compromised as they are
>> hosting known, malicious web-based backdoors.  Specifically, the
>> following file(s) have been accessed by intruders and have been
>> associated with unsolicited bulk email, denial of service or other
>> abusive activity:
>>
>> We have identified the following known backdoors under your
>> account: /home/lilug/dev.lilug.org/w-v1.12/config/wp-ecyv.php
>> /home/lilug/dev.lilug.org/w/images/.inc.php
>> /home/lilug/dev.lilug.org/w.20130519.backup/images/.inc.php
>> /home/lilug/www.lilug.org/w-v1.12/images/.inc.php
>> /home/lilug/www.lilug.org/w/images/help.php
>> /home/lilug/www.lilug.org/w/images/wptheme.php
>> /home/lilug/www.lilug.org/w-20130627.backup/images/.inc.php
>>
>>
>> We have disabled the page(s) in question (via adjusting permissions
>> on the files, e.g. chmod, or backing up the file first renaming it
>> to "filename.INFECTED" and cleaning up the injected code) until you
>> are able to address this matter.
>>
>> The existence of these pages on your website(s) is likely a sign
>> you have been compromised. We completely empathize with your
>> problem -- having a site hacked can be a frustrating and stressful
>> experience but we hope that this notification helps prevent this
>> matter from being a serious one. We're here to help but we need
>> your assistance first as there are some actions we're not able to
>> take on your behalf as they involve changes to software versions
>> and files under your account. To that end, we highly recommend that
>> you take the following steps:
>>
>> - Update any 3rd party software under the account, including
>> content management systems, gallery software, weblogging tools,
>> etc. Be sure to use current, secure versions and keep them
>> up-to-date. - Update any plugins and/or themes on your sites
>> (Recent attacks against websites have targeted vulnerable software
>> such as timthumb.php which is included in some wordpress themes,
>> separate from the core files) - Check your website(s) files for any
>> signs of tampering (file timestamps show recent editing) or files
>> you did not upload yourself and remove them. Looking at the
>> reported files above should give you a good starting point. - Check
>> your website(s) files for any 777 directories, (e.g. a directory
>> that allows anyone on the server to write or edit the files in the
>> directory; these permissions will look like rwxrwxrwx via the
>> command line) - Change your FTP password(s). Be sure they are at
>> least 8 characters in length and do not contain English words.
>> Random numbers and letters work best. - Consider enabling the
>> StopTheHacker service in your panel. Specficially consider signing
>> up for StopTheHacker's Comprehensive Malware Scanning. More info:
>> http://wiki.dreamhost.com/StopTheHacker
>>
>> If you have any questions, please feel free to reply to this email
>> and we will be more than happy to assist you with securing your
>> sites.
>>
>> Sincerely, The DreamHost Security team
>>
>>
>> ----------------------------------------
>>
>> To unsubscribe from all automatic notifications, please visit this
>> link in your web browser:
>> https://panel.dreamhost.com/unsubscribe.cgi?email=odinson%40warcloud%2Enet&token=hZaH0B1nnCoYoNl3BS-r
>>
>>  _______________________________________________ Planning mailing
>> list Planning at lists.lilug.org
>> http://lists.lilug.org/listinfo.cgi/planning-lilug.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
>
> iF4EAREIAAYFAlK8EpQACgkQQOgC01ICatACgwEAtG0qfErlU+8NH7YfWDrAKHCD
> 0p9tAlSL/P/fxfCRrNUA/1r7aZz2JpVxzIUxQ9OvJgWOS1+c8yilXGd2ey9xoEoi
> =TC4W
> -----END PGP SIGNATURE-----
> _______________________________________________
> Planning mailing list
> Planning at lists.lilug.org
> http://lists.lilug.org/listinfo.cgi/planning-lilug.org
>

-------------------------------------------------------------------------------
Matthew Newhall, M.A.Newhall at warcloud.net
A.S. in Computer Science, SUNY Farmingdale
President of LILUG;  president at lilug.org, http://www.lilug.org
My blog "The Civilization Gene" http://civgene.matthewnewhall.com
Author; "Thicker Than Blood" http://www.thickerthanbloodthebook.com
Giselle's husband, Sebastian and Maxximus's father.
http://www.warcloud.net/~odinson/us/
"I do not want a good General, I want a lucky one"
 	-- Napoleon
-------------------------------------------------------------------------------