I have a server with serverprono that was just compromised last week.
When I found out about it from my client, I went to see what had happened.
They first made a dir /.secure/form.html
and the form.htm was a page they made from bank of america trying to collect cc info.
I deleted that dir etc. and then I shut down the ftp account for this site.
My server was unplugged at this point for aup violation and was told I needed to contact abuse threw email. They are telling me they will plug it back in and give me 24hrs to fix the problem.
What do you guys sugest at this time.
The clients password was a weak 6 letter common word could this been the problem?
If what you had mentioned here is only that happened, it does not seem that your server got hacked. But it could just be a website account that got compromised. Check the account activities to find out how the phishing files were uploaded. You will need to do a thorough checkup on the server and make sure that the server is safe. You may hire someone if you are not sure how to do it.
Sounds like an exploit in a script and a phishing site was put up from a hole through a script on a users site or from the user themself. I'm suprised they pulled the server first and ask questions later. Interesting
Phishing is extremely common today. Im surprised they pull the plugged on you instead of getting a quick resolution by you.
Usually users with phpbb, mambo, or those upload scripts are most likely to have phishing pages uploaded by a phisher. If you look at the permission as well as the timestamp of the form I am sure you can dig it up through the logs of apache, ftp, and messages logs. But it doesnt look like a whole server will be compromised as phishers usually just find a weakness on customer account and upload their content.
PsychzNetworks - Enterprise Servers & Data Center Professionals
★24/7 On-Site Support - Premium Server Hardware
★Facilities: Los Angeles, CA - Dallas, TX | Tier-4 Data Centers
★Dedicated Servers - Colocation - Psychz DDoS-Shield™ On-Premise Mitigation
ok they just plugged it back in after a week of downtime.
I made sure the ftp was disabled on the clients site that was doing the phishing.
I have found many dirs on that clients site, with /.secure/
with a form.html, 1 was bank of america 1 was paypal 1 was netzero
they also put a script this clients /cgi-bin/ dir
i have removed all this stuff
any pointers and help would be great thank you
Your client is using Gallery. I'm not sure if that's Coppermine Gallery or Gallery from menalto, but that is VERY likely to be the problem (and the former has been an issue for me in the past, so I'd bet it's Coppermine). I suggest that you get the latest patches immediately and delete all the files.
By the way. I hate to be blunt, but as your role being a system administrator (as far as I can tell from what you've written so far), this stuff should be pretty easy to understand. If you are not sure -- even if there is a weak password -- you should enlist in the assistance of a company to secure your server for you. From your recent posts, it appears that the weak password was not the issue but rather that it was weak system administration on your part.