[Chugalug] Website scanners (was d at mn scammers/hackers)

David White dwrudy at gmail.com
Thu Oct 18 11:43:48 UTC 2012


I follow those guys on Twitter. They seem like a good group of people.

On Thu, Oct 18, 2012 at 12:22 AM, Sean Brewer <seabre986 at gmail.com> wrote:

> I use securi for the public facing side:
> http://sitecheck.sucuri.net/scanner/
>
>
> On Wed, Oct 17, 2012 at 11:15 PM, David White <dwrudy at gmail.com> wrote:
>
>> To fork the thread, anyone know of any services you can use, and/or or
>> scripts you can run to check the public facing code of sites and
>> ensure there's nothing malicious?
>>
>> On the internal side of things, I wonder if it would just make sense
>> to periodically run an MD5 checksum via cron on each web directory in
>> the server(s) and compare that with the good hash (stored externally,
>> off the server, of course).
>>
>> Sent from my iPhone
>>
>> On Oct 17, 2012, at 10:08 PM, Mike Harrison <cluon at geeklabs.com> wrote:
>>
>> >
>> > The little Linode slice that hosts chugalug.org
>> > and a handful of other sites had a Joomla install brute forced.
>> > Actually nailed on October 10th, but they did not
>> > install and abuse things until yesterday.
>> >
>> > The apache logs show many many thousands of login/password attempts
>> > on the two joomla sites on this system... from only two IP's. in rapid
>> succession. and they finally got one. Then they uploaded a new theme, with
>> some extra functionality in the files.
>> >
>> > Note: Both IP's were from static ip leasing services. That's a new
>> twist to me... usually they are from another hacked server.
>> >
>> > And then they went "Bank of America Customer Fishing"
>> > This server was only a relay, it's some interesting code.
>> >
>> > As many of you are also hosting/using Joomla and other content
>> management systems, you might want to look at your logs. Moving your
>> login/admin
>> > urls is the first step, there are many more worth taking.
>> >
>> > I'm out of the internet / web hosting / security business and yet,
>> since the beginning of September, I've been involved in 6 comprimises, 2 of
>> which, like this one, I was partially responsible for some part of the
>> system.
>> > The others I was just called in to help clean up afterwards.
>> >
>> > My relevant almost on topic point is: It seems to me the intensity,
>> focus and volume of hacks, comprimises and abuses have seeming increased
>> significantly.
>> >
>> > Be careful out there. I'm putting my uber-paranoid hat on after
>> > about 10 years of not wearing it (all the time), you should also.
>> >
>> > The not so nice people are out to get us all. All of us.
>> >
>> >
>> > _______________________________________________
>> > Chugalug mailing list
>> > Chugalug at chugalug.org
>> > http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>> _______________________________________________
>> Chugalug mailing list
>> Chugalug at chugalug.org
>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>


-- 
- David White -
Smooth Stone Services *(soon to be CENTS)*
*Computing, Equipping, Networking, Training & Supporting *
*Nonprofit Organizations Worldwide*

Existing Website: http://www.smoothstoneservices.com
New Website (coming soon): http://developCENTS.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20121018/dc759c29/attachment-0001.html>


More information about the Chugalug mailing list