[nsp-sec] NSP-SEC-6364-ALERT compromised websites (torpig)
Dirk Stander
dst+nsp-sec at glaskugel.org
Mon May 11 11:00:42 EDT 2009
.: Jon Lewis (Mon, May 11, 2009 at 10:21:36AM -0400)
> entire web space until now and found one additional file with the malicious code. The above
> URL is in their password protected "members" area. Do I want to know how it was discovered?
the script/FTP-client which injects the javascript runs recursively
through the file system and manipulates every `index' file
(index|main|default)\.(.html?|php\d*|asp)
We extracted this list from the HTTP-referers of a sinkhole.
Kind regards, Dirk Stander (1&1) :.
More information about the nsp-security
mailing list