cancel
Showing results for 
Search instead for 
Did you mean: 

Spammers on CCGI server

N/A

Spammers on CCGI server

On the 22nd May, we noticed that someone had managed to get into our CCGI server space and upload files and php scripts to send out bulk mail.

The advice from F9 support was to change all passwords (CCGI, portal, and MySQL) and delete offending files, then to check back every day to make sure that all was well.
All passwords were changed, the entire website was deleted and uploaded from scratch, and daily checks were carried out.

Today, a zip file "p" and the corresponding contents has appeared (could have been anytime over the weekend) in our CCGI space. One of the files, "install.txt" has the heading "PHP Bulk Emailer From NukedWeb" and gives various instructions.

Obviously, there is a flaw somewhere in the F9 security (I'm the only person who could possibly know these passwords outside of F9, the CCGI one is 10 characters with a mixture of alpha and non-alphanumeric chars.).

Does anyone know how this is likely to have occured?
Has this happend to anyone else?
Is there anything else we can do (i'm not going to change passwords every few days!) to stop this?
Is there anything that can be done to help track where the intrusion has come from?

I've obviously raised a ticket with support, but the last ticket I raised took over 24 hours to get a reply. F9 support couldn't have cared less when I called about the first incident "just change the passwords" was their stock reply, so if anyone could help, it would be much appreciated.

Regards
Alex Shannon
2 REPLIES
N/A

Spammers on CCGI server

I don't suppose you have added any new scripts recently that could add this file? There are many scripts that add folders and files by stealth after installation.

Mark
orrery
Grafter
Posts: 138
Thanks: 1
Registered: 30-07-2007

Spammers on CCGI server

I'm not sure how this would work with a 'virtual' server as is being provided here, but I've seen it before on a set of discrete machines.

There is usually a system file that has been compromised. We found simple scripts that had huge amounts of white space added, then additional content added which appears off the bottom of the editor. I have also seen situations where editors have been replaced with a program that launches the renamed editor but re-instates a back door for the scammer.

The only way we found to deal with the problem was to re-install the server.

At least you've explained why Force9 servers have been placed on the blocklsts.

regards, Ian