Thread: Problem with dark.cgi scripts !!!
View Single Post
  #4 (permalink)  
Old 06-29-2009, 11:17 PM
Spiral's Avatar
Spiral Spiral is online now
Registered User
  
Join Date: Jun 2005
Location: Area 51
Posts: 1,501
Spiral is on a distinguished road
Quote:
Originally Posted by konrath View Post
http://forums.cpanel.net/f7/iframe-j...cks-62821.html

I minimize the problem blocking ftp access to certain IPs.

Konrath
Konrath,

Unfortunately that issue really has little to nothing to do with FTP and limiting
the IPs allowed to connect by FTP really won't do much good in this case as
the methods the hackers use to get the client login information also allow for
them to proxy off the client's own home ISP connections as well so short of
banning your own client's from logging in entirely; won't do much good.

(I posted a few times already. However, a few basic details below ...)

The current "iframe" added to index files and scripts uploaded attack is done
via a client compromise and not from the server so there is very little you
can do from a server perspective as the attack isn't at your server.

We've been 1st hand tracking the group behind this attack for a while now
at my network security consulting firm. The group behind the attack is
based out of China and basically in a nutshell using a set of trojans
and custom designed keyloggers to capture client passwords from their
own infected computers at home and then using that same information
to direclty login to the client's web hosting and bank accounts and wreak
more havoc by updating index files to call uploaded spam scripts with the
user's permissions and making transfers from the victim's bank accounts.

Some good news is that these hackers are limited to the permissions of
the client whose login details they had captured from the client's computer
at home which limits what they can do if your server is properly secure
as it should already be. In addition, since the upload process seems to
be consistent and apparently fully automated, it's very easy to setup
activity scanning and cron processes to watch and block this activity.
Same goes for setting up Mod_Security rules and firewall traps too.

For any client who has been compromised at home, their passwords
should be changed immediately (or better their account suspended).
Until their home computers are scanned and disinfected, the client
probably should not be given the new password as the new password
will just be captured by the hackers as well as soon as the client
tries to login from their infected home computer.
Last edited by Spiral; 06-29-2009 at 11:22 PM.
Reply With Quote