paypal scam - tracing link
Bob McClure Jr
bob at bobcatos.com
Thu Oct 26 20:20:01 UTC 2006
On Thu, Oct 26, 2006 at 12:42:17PM -0700, Bret Stern wrote:
> > -----Original Message-----
> > From: redhat-install-list-bounces at redhat.com
> > [mailto:redhat-install-list-bounces at redhat.com] On Behalf Of
> > Bob McClure Jr
> > Sent: Thursday, October 26, 2006 12:36 PM
> > To: redhat-install-list at redhat.com
> > Subject: Re: paypal scam - tracing link
> >
> > On Thu, Oct 26, 2006 at 12:20:35PM -0700, Bret Stern wrote:
> > > Afternoon,
> > >
> > > Can anyone suggest how to find and delete these files which show up
> > > during a locate command.
> > >
> > > I've looked in the folders below (where the locate command found
> > > them), but cannot find the files.
> > >
> > > Any help would be appreciated.
> > >
> > > Bret Stern
> > >
> > > /usr/local/apache/htdocs/www.paypal.com
> > > /usr/local/apache/htdocs/www.paypal.com/cgi-bin
> > > /usr/local/apache/htdocs/www.paypal.com/cgi-bin/webscrcmd=_login-run
> > >
> > /usr/local/apache/htdocs/www.paypal.com/cgi-bin/webscrcmd=_log
> in-run/updates
> > > -paypal
> > >
> > /usr/local/apache/htdocs/www.paypal.com/cgi-bin/webscrcmd=_log
> in-run/updates
> > > -paypal/addr.gif
> > >
> > > <long list trimmed>
> > >
> > >
> > /usr/local/apache/htdocs/www.paypal.com/cgi-bin/webscrcmd=_log
> in-run/updates
> > > -paypal/update.php
> > >
> > /usr/local/apache/htdocs/www.paypal.com/cgi-bin/webscrcmd=_log
> in-run/updates
> > > -paypal/_login-submit.htm
> > >
> > /usr/local/apache/htdocs/www.paypal.com/cgi-bin/webscrcmd=_log
> in-run/updates
> > > -paypal/login.html
> > >
> > /usr/local/apache/htdocs/www.paypal.com/cgi-bin/webscrcmd=_log
> in-run/updates
> > > -paypal/cc.db
> >
> > The database that "locate" works from is built a little after 4am
> > every day. So it looks like the files were there then, but not now.
> > As root, run "updatedb" to rebuild the database, and see if the
> > problem still exists.
> >
> > The next question, of course, is, has your machine been cracked by a
> > phisher?
>
> It was not my machine, but it is true. This was a re-creation of
> paypal.com created on a customers host.
>
> so the next question.. how was this accomplished.
> Did someone actually guess the password,
That's possible, but it would have had to have been the account of
whoever owns /usr/local/apache/htdocs, or root, in order to install
files there.
> or are there other
> ways..including insided folks,
That's possible, but seem unlikely unless it was a recently laid-off
employee, and they hadn't changed all the passwords the person knew.
or other??
As Harold has already mentioned, the cracker might have taken
advantage of a known vulnerability in software whose security patches
hadn't been kept up. If he gets in as root, he "owns" the box.
I, too, am using sshblack or something similar on the ten exposed
machines I watch over.
> > Cheers,
> > --
> > Bob McClure, Jr.
Cheers,
--
Bob McClure, Jr. Bobcat Open Systems, Inc.
bob at bobcatos.com http://www.bobcatos.com
"Where you go in the hereafter depends on what you were after here."
- Thanks to Graffiti, 2 March 2004
More information about the Redhat-install-list
mailing list