[development] Fully patched site hacked and cloaked

Chris Johnson cxjohnson at gmail.com
Wed Jan 27 15:56:11 UTC 2010

Now that's very interesting.  If all of the FTP passwords were
changed, and the attackers still got in this easily, it's far less
likely that they sniffed the use of an unencrypted changed FTP
password so quickly than that they already access via some other
means.  Perhaps they cracked your SSH password?  Or perhaps there was
a backdoor installed on the server itself which gave them immediate

Your suggestion that RackspaceCloud users check their installations is
a good one; it sounds like these servers have security weaknesses
which are easily exploited.

On Wed, Jan 27, 2010 at 9:25 AM, Tomáš Fülöpp (vacilando.org)
<tomi at vacilando.org> wrote:

> The site got hacked again today, despite all FTP password changes etc.
> Because (though that is of course an assumption, but a reasonable one)
> bootstrap.inc was read-only the hacker created bootstrap.php in the
> includes/ folder. Not sure there was a way to use it but still, it got
> created.

> I always use SSH (Port 22, WinSCP) but I am now investigating the
> possibility of some of my clients using insecure FTP, which of course would
> be a very likely attack vector.

> Any further ideas are of course appreciated. And those on RackspaceCloud,
> check your bootstrap.inc files today.
> vacilando / Tomáš

More information about the development mailing list