|
Pretty interesting how that is done. Multiple different IP addresses accessing the same account within seconds, each accessing/modifying a different page.
I hesitate to say that's from a full fledged botnet, but it's likely from multiple compromised machines being controlled from an IRC channel or some other distributed remote means.
Somebody issues a command to log in and change files, and all applicable participants act immediately.
It is likely that this isn't actually the first time that account has been breached. It probably was breached initially - and during that time no directory listing or other activity was likely done. Just a quick login/logout to verify that it can be accessed. Then they sit on it for a while (perhaps weeks or more) without making use of it (so you have no reference left on your server in the logfiles from the previous access). Then they pounce and have it do a quickchange of your various html/php pages.
They probably added additional malicious javascript code to each of those pages, or an iframe or something.
Like Infopro said - change your password for that account immediately - to something that is very strong. Set up your Cpanel to require strong passwords across the board.
Go through all of your FTP logs for the past month (or as long as you have them) and look around for strangeness. If you see a group of accounts being accessed in quick succession by the same IP, then you can assume that somebody got a hold of your passwd/shadow files and brute force broke the weak passwords. IF this were the case, you'd want to implement that secure password policy within Cpanel and then change every current account's password as quick as possible to something that is secure.
It may be isolated [it most often is], but I have seen it where obviously somebody got a hold of the passwd/shadow files on the server, spent a long time cracking as many easy passwords as they could, then many months later pounced on multiple accounts at once.
Mike
|