Wednesday, September 26, 2012

Re: spam scripts on vim.org

Charles Campbell held forth: on 09/26/2012 09:52 AM:
> doak wrote:
>
>> Hi,
>>
>> On 25.09.2012 23:00, John Beckett wrote:
>>
>>
>>> But in reality, there is not enough spam to warrant any messing
>>> around.
>>>
>>>
>> In my oponion this is not related to spam.
>> As Marc Weber has already stated, I think it looks like an attack on the web server. As far as I understand the issue, the uploaded "jpeg" tests if an already injected file exists or it test if the execution of the php code works.
>> As there were four (!) uploads of the same content, it looks like something else was tried and the result was tested again.
>>
>> I guess the uploaded content was only some stuff we noticed. The real issue could be undetected yet.
>>
>>
> May I suggest that our hardworking moderators should check on .htaccess
> files' timestamps/content (if any). Setting up a cron job to download
> any and all .htaccess files from the server and insuring that their
> contents haven't changed might be a fairly straightforward action.
>
> Regards,
> C Campbell
>
>

With all due respect, Dr., I'd suggest that at least a check of 'ctimes'
(to catch replaced files within the DocRoot or config areas of the HTTP
server) on or (soon) after the placement of the suspect images might be
warranted. htaccess might not be the (only?) target. Beyond that, if
there's truly concern about malicious activity on that server, full
forensics would be apropos - but that's a much larger discussion.

I wonder if tripwire or similar is in use on the site...

/Bill

--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

No comments: