[horde] Phising despite latest CVS?
Jan Johansson
j2 at mupp.net
Wed May 3 13:28:35 PDT 2006
>What are you trying to say, and what does all this have to do with
>phishing?
Sorry, let me rephrase my message.
I said phising, because my server have been used as the "fake host" in a
Phising attack against eBay. (Now, my ISP have been helpful, and is
filtering traffic).
But, if you look at the URL. Something has created a "SignIn.html" in my
horde-tree.
(/var/www/webmail.skyddsrummet.net/horde/services/help/ws/eBayISAPIdllSignIn
favoritenav=2sid2=ruproduct=pp=co_partnerId=2ru=i1=ruparams=pageType=pa2=bsh
owgif=pa1=pUserId=errmsg=UsingSSL-runame-iteid=0/SignIn.htm)
As I said. Even after updating to latest CVS, it was recreated _Again_ so I
wonder what else I should be looking for?
---------------
Someone is managing to _Create_ that file in my web server. So I thought I
hade become a victim of the security bulletin posted on horde.org.
But even after doing cvs update -Pd the file has been recreated afterwards?
This is from my apache-log.
--14:19:14-- http://imthelaw.home.ro/SignIn.htm
=> `SignIn.htm'
Resolving imthelaw.home.ro... 81.196.20.133
Connecting to imthelaw.home.ro|81.196.20.133|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12,553 (12K) [text/html]
0K .......... .. 100% 59.16
KB/s
14:19:15 (59.16 KB/s) - `SignIn.htm' saved [12553/12553]
--14:27:57-- http://geocities.com/bloodlust_kryptonyte/SignIn.htm
=> `SignIn.htm'
Resolving geocities.com... 66.218.77.68
Connecting to geocities.com|66.218.77.68|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
0K .......... ..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3030 bytes
Desc: not available
Url : http://lists.horde.org/archives/horde/attachments/20060503/4848baab/smime.bin
More information about the horde
mailing list