Hacked by Tugr@

Discussion in 'ProcessGuard' started by johncesta, Jan 4, 2005.

Thread Status:
Not open for further replies.
  1. johncesta

    johncesta Registered Member

    Joined:
    May 20, 2004
    Posts:
    13
    Has anyone heard fo this one? What they do is to copy:

    index.php .cfm .htm .html .asp
    default.php .cfm .htm .html .asp

    to the root folder of every web site.

    I can't find much on it on the web. I thought I had figured it to be an old servu ftp server hack so I upgraded about 3 weeks ago but today upon reboot it happened again.

    Is this something that processgaurd could find running?

    Thanks

    John Cesta
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi John, Not unless it requires a .exe to do it. ProcessGuard protects running processes from change, injection and closure and alerts on .exe's starting or when they are changed.
    It sounds like what you describe is a scripting exploit?

    Pilli
     
  3. heapmiller

    heapmiller Guest

    Where you able to find the hole and get the server back up and running clean?

    It seems we may have been hit with a similar hack, trying to figure out where and what is creating the files.

    thanks
     
Thread Status:
Not open for further replies.