[154192] in North American Network Operators' Group
Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
daemon@ATHENA.MIT.EDU (Ryan Rawdon)
Wed Jun 27 10:32:27 2012
From: Ryan Rawdon <ryan@u13.net>
In-Reply-To: <2BDC6728-6809-4525-A9E8-1D13357E30EE@u13.net>
Date: Wed, 27 Jun 2012 10:30:47 -0400
To: Ryan Rawdon <ryan@u13.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>,
Arturo Servin <arturo.servin@gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 27, 2012, at 10:10 AM, Ryan Rawdon wrote:
>=20
>=20
> On Jun 27, 2012, at 9:26 AM, Jason Hellenthal wrote:
>=20
>>=20
>> What would be nice is the to see the contents of the htaccess file
>> (obviously with sensitive information excluded)
>=20
>=20
> I cleaned up compromises similar to this in a customer site fairly =
recently. In our case it was the same exact behavior but was php =
injected into their application, instead of .htaccess. I do not recall =
what the original compromise vector was, it was something in the =
customer's custom application which they resolved.
>=20
> It looked like the malware did a find and replace for <?php and =
replaced it with:
>=20
>=20
<snipped>
http://r.u13.net/permatemp/forefront.png
My message may have gotten caught as spam/malicious by filters. Not =
sure if it caught the base64 or plaintext so I snipped both. You can =
view my original message in the archives at =
http://mailman.nanog.org/pipermail/nanog/2012-June/049612.html
>=20
>=20
>=20
> (where brugge.osa.pl was the destination for the redirects in the =
compromise of this customer site)
>=20
>=20
>=20
>>=20
>> On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
>>>=20
>>>> <snip>
>>>=20
>>=20
>> --=20
>>=20
>> - (2^(N-1))
>>=20
>=20
>=20
