Badware on my forum

Ben Brown
Plusnet Staff
Posts: 2643

« Reply #16 on 13/11/2009, 10:23 »

From my experience this is more likely to be an SQL injection attack or similar, rather than a successful guess of your FTP password. I've not used plesk so don't know about raw apache logs but that's where you want to be looking. Check for long requests, especially ones with odd looking characters in.

Ben Brown
PlusNet Systems Engineer

Logged

Gabe
Posts: 122

« Reply #17 on 13/11/2009, 12:03 »

Hi Ben,

We're not talking about password guessing but password capture. The payload for this particular iframe includes an infected pdf file designed to do exactly that (and worse).

It could be a hybrid attack, using either password capture or SQL injection, depending on the host, but the xfer logs are likely to be much shorter than the access logs, so that's the quickest thing to eliminate or confirm.

At least safe mode is set on PAYH.

Gabe

Logged

Midnight Caller
Posts: 1506
Please remember that I am Dyslexic wen replying

« Reply #18 on 13/11/2009, 15:25 »

@Gabe, I will have a look at the xfer logs as soon as I can!

Kind Regards, Gary Lambert. Force9 ID: dyslexia,
PlusNet ID: tdadyslexia, PlusNet Since 6 Febuary 2001

DHEA Community Forum Pleas Help Me To Save Lives

Logged

Site Links

Related Sites

Community Apps

About Plusnet