OAImages Server Hacked?
Posted in OAImages News by John E. Pannell on February 11th, 2007 at 10:19 pm This is not good..
I received an email from the collocation folks this afternoon:
This afternoon around 5pm CST you server (deleted) was flooding the network by a PERL script running under the (deleted) directory as user “(deleted)”. This script was sending out UDP traffic that was degrading the network throughput. There where also password scanning scripts under (deleted)…
Needless to say the scripts were not placed by me, nor in any directory I would normally place such stuff in! The collocation folks archived the offending scripts before deleting them. At a first glance it appears the mischief was caused by someone who may have gained access to this blog.
Some details have been changed and I will keep an eye on this for any future unauthorized activity. No user data appears to have been compromised as the probable hackers had other goals in mind. I hope I won’t have to take more drastic actions such as shutting down this blog, but will do so, if needed to protect the server’s integrity.
This could well explain some of the unusual problems I’ve been having with the server lately.
Popularity: 5% [?]
Is +x set on that directory? You might be able to create .htaccess controls that limit +x to .php files or something similar (I forget if .php even needs +x, honestly) and limit the possibility of this happening again in the future.
Was the user one that you recognized? Is WP up-to-date?
[...] I’m guessing this stopped working about the time I was having trouble with the site’s server last Winter. Either no one ever mentioned this to me, or I forgot if they did, and I didn’t realize it was a problem. Most likely when I restored the site’s files, I reposted an older version of the Perl script that is needed to create thes pdf files that was not entirely error-free. [...]