Hostees of mine on magatsu.net -- my webspace was hit with an exploit that I'm cleaning out now. I think it was just my accounts and not any of you (as I cannot access your accounts) but please do (a) change your passwords and (b) check your webspace using FileZilla or another FTP program for a PHP script that shouldn't be there. (details under cut)


The exploit seems to be consistently 28,278 bytes in size, a PHP file named with either two people's named connected by an underscore or an English word connected to a person's name with an underscore. I've found it in root files, and in an images folder in a wiki site and in an uploads folder in a Wordpress site, and in a trunk folder and images folder for survey software I was testing.

If you know how to grep, you can grep for _8b7b as it appears to consistently use that as a variable.

No clue what it's for as it's encrypted. Change your WebID password and your FTP user password to be on the safe side.

You can comment here or at the Dreamwidth crosspost. comment count unavailable comments at Dreamwidth.
Tags: dreamhost, hostees, hosting, web hosting
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded