I was just reading about a Dreamhost customer whose hosting account was compromised by search engine spammers. They gained access to his account, altered all of his files to include an iframe that linked to some kind of search engine spam, and uploaded a bunch of other files to his account that were also obviously related to spamming search engines. Such attacks only make sense if they can be performed in an automated fashion on a large number of Web sites. It looks like one of the links they added to his site also goes to a Web site that attempts to infest your computer with some kind of malware (kozirodstwo.com). He only found out about the problem when Google notified him that he was being delisted from the index because his newly modified pages violate their guidelines.
Anyone heard about anything similar going on? It seems new to me.
Update: Looks like the vector of attack was an insecure PHP script, which is all too typical. I guess this isn’t particularly novel after all.
April 18, 2007 at 11:29 am
My server was compromised a few years back by an insecure version of awstats that was installed. This led to a group of Brazilian hackers/gamers to gain root access and replace every index.* file on the server (across all virtual hosted domains) with a file of their own design. Interestingly enough, they were mostly harmless hackers who were competing with other script kiddies, attempting to increas the number of sites they’ve hacked — as in some weird sort of game. They did not care that their incursion into my server resulted in me having to reformat and reinstall Debian, restore the web sites, email, etc. I ultimately stopped being a sysadmin for my own server and now rely on hosted services (shared or fully-managed dedicated) where I am assured all software is patched as soon as a security exploit is discovered.