[TriLUG] cracked shared hosting: what to do?
Kevin Hunter Kesling
hunteke at earlham.edu
Wed Apr 17 18:35:38 EDT 2013
At 6:22pm -0400 Wed, 17 Apr 2013, Amnon wrote:
>> No, I'm not sure. All I can say is that nothing stands out
>> immediately. For instance, 'last <username>' only shows my logins,
>> both before and after an attack (i.e., modification of .htaccess and
>> scripts put in
>
> Did you change your password? We've been seeing a lot of cracking
> attempts (pop3, smtp) from China in the last few weeks, and a few of
> the 'easy' passwords were cracked.
Heh, given the XKCD notion of secure[1], I don't know; the password was
certainly not 'love' or 'god', and we've changed it twice in the past
week, "just to be sure". It would seem to no avail.
I haven't coded in PHP in about 8 years, but my recollection is that it
is difficult to "do it right" in terms of security. Given the recent
news surrounding Wordpress[2], I've been perusing the PHP code base, and
have found at least a couple of apparent "back doors". We've now blown
away the code and replaced it with a fresh and updated version. In
addition to the support ticket, I hope that this will nail the door
shut, or at least point us in the right direction.
Any and all thoughts and suggestions still welcome!
Thanks for the question,
Kevin
[1] http://xkcd.com/936/
"Password Strength - correct horse battery stable"
[2]
http://it.slashdot.org/story/13/04/12/1940248/wordpress-sites-under-wide-scale-brute-force-attack
"Wordpress Sites Under Wide-Scale Brute Force Attack"
More information about the TriLUG
mailing list