> Sorry folks, but it has become necessary to place all new members'
> first posts in moderation due to an influx of ugly spam.

> I'll change this setting when that spam abates.

> Until then hopefully I'll be fast enough to catch all the genuine new
> members and their posts to unmoderate them.

> I just read today on another list how someone uses porn sites to test
> their security systems ...
> that just has to qualify as the best excuse ever.

> Joking aside, I moderate on a totally computer unrelated group and it is
> so sad the amount of spam that gets pushed, moderating is a thankless task
> more often than not.
> I think if anyone on the group does not understand or appreciate what you
> are doing to protect them, they should raise their hands and offer you
> assistance.

> Thanks for your hard work.

> Duncan
> Happy to help at anytime.

> On Fri, 07 Dec 2007 15:16:54 -0000, webado <web...@gmail.com> wrote:

> > Sorry folks, but it has become necessary to place all new members'
> > first posts in moderation due to an influx of ugly spam.

> > I'll change this setting when that spam abates.

> > Until then hopefully I'll be fast enough to catch all the genuine new
> > members and their posts to unmoderate them.

> --
> Duncan Hill
> (DHadmin)

> I just read today on another list how someone uses porn sites to test  
> their security systems ...
> that just has to qualify as the best excuse ever.

> Joking aside, I moderate on a totally computer unrelated group and it is  
> so sad the amount of spam that gets pushed, moderating is a thankless task  
> more often than not.
> I think if anyone on the group does not understand or appreciate what you  
> are doing to protect them, they should raise their hands and offer you  
> assistance.

> Thanks for your hard work.

> Duncan
> Happy to help at anytime.

> On Fri, 07 Dec 2007 15:16:54 -0000, webado <web...@gmail.com> wrote:

> > Sorry folks, but it has become necessary to place all new members'
> > first posts in moderation due to an influx of ugly spam.

> > I'll change this setting when that spam abates.

> > Until then hopefully I'll be fast enough to catch all the genuine new
> > members and their posts to unmoderate them.

> --
> Duncan Hill
> (DHadmin)

> I am seeing a huge increase in spam in forums and email as well,
> despite all the anti-spam measures.

> The last one was an email I got to my orders @ email addy (thus a very
> comon and sure to exist one for most sites), where they are offering
> me SEO services to make my site #1. #1 for what, they didn't say LOL

>  This one here is special as it seems to attract a lot of porn spam.
> All because we cannot block signups and posts containing certain words
> and fragments.

> On Dec 7, 2:48 pm, "Duncan Hill" <dhad...@mndhill.com> wrote:

> > Go on! spoil all the fun .... LOL

> > I just read today on another list how someone uses porn sites to test
> > their security systems ...
> > that just has to qualify as the best excuse ever.

> > Joking aside, I moderate on a totally computer unrelated group and it is
> > so sad the amount of spam that gets pushed, moderating is a thankless task
> > more often than not.
> > I think if anyone on the group does not understand or appreciate what you
> > are doing to protect them, they should raise their hands and offer you
> > assistance.

> > Thanks for your hard work.

> > Duncan
> > Happy to help at anytime.

> > On Fri, 07 Dec 2007 15:16:54 -0000, webado <web...@gmail.com> wrote:

> > > Sorry folks, but it has become necessary to place all new members'
> > > first posts in moderation due to an influx of ugly spam.

> > > I'll change this setting when that spam abates.

> > > Until then hopefully I'll be fast enough to catch all the genuine new
> > > members and their posts to unmoderate them.

> > --
> > Duncan Hill
> > (DHadmin)

> Proxy attacks are probably looking for security holes in the forum. Pop
> over to the StopBadWare Google group and you'll find out more about the
> reasons why.

> Forums are one of the sites that we are seeing an increase in attacks.
> If an open forum allows content to be published that provides a link /
> or delivery vehicle for malware distribution, it can lead your whole
> domain being listed at Google and effectively de-listed from the Google
> Index.

> Two main reasons for hiding the target of the links in the spam:
> 1. Regular users might actually click on them.
> 2. If they can push enough posts on enough forums, makes you wonder what
> it would do for their PR of those target sites (for those that they
> cared about).

> On some of the sites I manage, (2) isn't the prevalent option since most
> of the sites referenced in the spam are using Fast Flux type methods and
> therefore must only be interested in visitors.
> But I have seen the odd genuine site. (Geniune only in the fact that
> it's a permanent site, spamvertised maybe, but they are either SEO
> naieve or stupid or more likely both).

> My old personal blog purely exists now so that I can (1) contribute to
> project honeypot, and (2) maintain my own personal list of IP's to block
> from my other sites.  I "hid" the comment controls from real users, but
> still the spammers keep on coming, and I keep on adding them to the
> blocklist...  (note for Webado - hid from real users in a way not to
> been seen by Google to be hiding things ;) but I should save that part
> for the SEO group)

> I've been a member of spamcop for years and spammers rank 1 rung up the
> ladder from amoeba in my book, except the amoeba still have the higher IQ...

> Chris

> Proxy attacks are probably looking for security holes in the forum. Pop
> over to the StopBadWare Google group and you'll find out more about the
> reasons why.

> Forums are one of the sites that we are seeing an increase in attacks.
> If an open forum allows content to be published that provides a link /
> or delivery vehicle for malware distribution, it can lead your whole
> domain being listed at Google and effectively de-listed from the Google
> Index.

> Two main reasons for hiding the target of the links in the spam:
> 1. Regular users might actually click on them.
> 2. If they can push enough posts on enough forums, makes you wonder what
> it would do for their PR of those target sites (for those that they
> cared about).

> On some of the sites I manage, (2) isn't the prevalent option since most
> of the sites referenced in the spam are using Fast Flux type methods and
> therefore must only be interested in visitors.
> But I have seen the odd genuine site. (Geniune only in the fact that
> it's a permanent site, spamvertised maybe, but they are either SEO
> naieve or stupid or more likely both).

> My old personal blog purely exists now so that I can (1) contribute to
> project honeypot, and (2) maintain my own personal list of IP's to block
> from my other sites.  I "hid" the comment controls from real users, but
> still the spammers keep on coming, and I keep on adding them to the
> blocklist...  (note for Webado - hid from real users in a way not to
> been seen by Google to be hiding things ;) but I should save that part
> for the SEO group)

> I've been a member of spamcop for years and spammers rank 1 rung up the
> ladder from amoeba in my book, except the amoeba still have the higher IQ...

> Chris

> I joined the StopBadWare group and looked around some, but I am a
> little confused about getting a StopBadware.org review/scan of my
> site.  Is it only for flagged sites or can it be used to make sure
> that a site is and remains clean?

> > I joined the StopBadWare group and looked around some, but I am a
> > little confused about getting a StopBadware.org review/scan of my
> > site.  Is it only for flagged sites or can it be used to make sure
> > that a site is and remains clean?

> It's only for flagged sites.
> They maintain a list of sites populated with data from Google and other
> trusted sources (but I suspect mainly Google).
> The good thing is that if your sites not listed, it's not probably
> compromised.
> (I say probably because there is always a lag between a Google listing,
> and a StopBadWare listing).
> But trust me, if you had malware on your site, you'd probably know by now...

> You only need to do a scan/review of your site, once you have been
> reported as having malware on your site.
> i.e.
> you get listed at SBA or Google
> you then clean your site
> ensure your site is clean
> close the door to the attackers
> then request a review at SBA (and maybe via your Google Webmasters
> Toolpanel).

> That's what the review/scan process is for.
> If you request a review of your site BEFORE it is cleaned, and it still
> has malware on it when they re-scan it, it adds a bucket load of time
> until you get removed from the list.

> There is a separate link for checking if your site is listed in the
> database (or clearinghouse as they call it)http://stopbadware.org/home/reportsearch

> Thanks for the great info!

> My main concern is that I was using standard ftp and while uploading
> files and I had several worms try to attack my computer, but now I am
> using secure ftp and have had no more problems on my side.  I am not
> sure that it was ever a problem on the server side, and I really don't
> think the site is compromised, but one can never be to careful.

> Daniel

> On Dec 7, 6:36 pm, Chris Wright <chris.a.wri...@gmail.com> wrote:

> > a-ok-site wrote:
> > > Chris,

> > > I joined the StopBadWare group and looked around some, but I am a
> > > little confused about getting a StopBadware.org review/scan of my
> > > site.  Is it only for flagged sites or can it be used to make sure
> > > that a site is and remains clean?

> > It's only for flagged sites.
> > They maintain a list of sites populated with data from Google and other
> > trusted sources (but I suspect mainly Google).
> > The good thing is that if your sites not listed, it's not probably
> > compromised.
> > (I say probably because there is always a lag between a Google listing,
> > and a StopBadWare listing).
> > But trust me, if you had malware on your site, you'd probably know by now...

> > You only need to do a scan/review of your site, once you have been
> > reported as having malware on your site.
> > i.e.
> > you get listed at SBA or Google
> > you then clean your site
> > ensure your site is clean
> > close the door to the attackers
> > then request a review at SBA (and maybe via your Google Webmasters
> > Toolpanel).

> > That's what the review/scan process is for.
> > If you request a review of your site BEFORE it is cleaned, and it still
> > has malware on it when they re-scan it, it adds a bucket load of time
> > until you get removed from the list.

> > There is a separate link for checking if your site is listed in the
> > database (or clearinghouse as they call it)http://stopbadware.org/home/reportsearch- Hide quoted text -

> - Show quoted text -

> On Dec 7, 7:47 pm, a-ok-site <a.ok.s...@gmail.com> wrote:

> > Chris,

> > Thanks for the great info!

> > My main concern is that I was using standard ftp and while uploading
> > files and I had several worms try to attack my computer, but now I am
> > using secure ftp and have had no more problems on my side.  I am not
> > sure that it was ever a problem on the server side, and I really don't
> > think the site is compromised, but one can never be to careful.

> > Daniel

> > On Dec 7, 6:36 pm, Chris Wright <chris.a.wri...@gmail.com> wrote:

> > > a-ok-site wrote:
> > > > Chris,

> > > > I joined the StopBadWare group and looked around some, but I am a
> > > > little confused about getting a StopBadware.org review/scan of my
> > > > site.  Is it only for flagged sites or can it be used to make sure
> > > > that a site is and remains clean?

> > > It's only for flagged sites.
> > > They maintain a list of sites populated with data from Google and other
> > > trusted sources (but I suspect mainly Google).
> > > The good thing is that if your sites not listed, it's not probably
> > > compromised.
> > > (I say probably because there is always a lag between a Google listing,
> > > and a StopBadWare listing).
> > > But trust me, if you had malware on your site, you'd probably know by now...

> > > You only need to do a scan/review of your site, once you have been
> > > reported as having malware on your site.
> > > i.e.
> > > you get listed at SBA or Google
> > > you then clean your site
> > > ensure your site is clean
> > > close the door to the attackers
> > > then request a review at SBA (and maybe via your Google Webmasters
> > > Toolpanel).

> > > That's what the review/scan process is for.
> > > If you request a review of your site BEFORE it is cleaned, and it still
> > > has malware on it when they re-scan it, it adds a bucket load of time
> > > until you get removed from the list.

> > > There is a separate link for checking if your site is listed in the
> > > database (or clearinghouse as they call it)http://stopbadware.org/home/reportsearch-Hide quoted text -

> > - Show quoted text -

> I will give it a whirl and see how it works.  I will post the results
> when I have something.

> Daniel

> On Dec 7, 6:58 pm, webado <web...@gmail.com> wrote:

> > There's also the McAffe Site Advisor that can do some similar stuff -
> > not sure how that works though. I installd their toolbar, but can't
> > say I've seen anything conclusive anywhere.

> > On Dec 7, 7:47 pm, a-ok-site <a.ok.s...@gmail.com> wrote:

> > > Chris,

> > > Thanks for the great info!

> > > My main concern is that I was using standard ftp and while uploading
> > > files and I had several worms try to attack my computer, but now I am
> > > using secure ftp and have had no more problems on my side.  I am not
> > > sure that it was ever a problem on the server side, and I really don't
> > > think the site is compromised, but one can never be to careful.

> > > Daniel

> > > On Dec 7, 6:36 pm, Chris Wright <chris.a.wri...@gmail.com> wrote:

> > > > a-ok-site wrote:
> > > > > Chris,

> > > > > I joined the StopBadWare group and looked around some, but I am a
> > > > > little confused about getting a StopBadware.org review/scan of my
> > > > > site.  Is it only for flagged sites or can it be used to make sure
> > > > > that a site is and remains clean?

> > > > It's only for flagged sites.
> > > > They maintain a list of sites populated with data from Google and other
> > > > trusted sources (but I suspect mainly Google).
> > > > The good thing is that if your sites not listed, it's not probably
> > > > compromised.
> > > > (I say probably because there is always a lag between a Google listing,
> > > > and a StopBadWare listing).
> > > > But trust me, if you had malware on your site, you'd probably know by now...

> > > > You only need to do a scan/review of your site, once you have been
> > > > reported as having malware on your site.
> > > > i.e.
> > > > you get listed at SBA or Google
> > > > you then clean your site
> > > > ensure your site is clean
> > > > close the door to the attackers
> > > > then request a review at SBA (and maybe via your Google Webmasters
> > > > Toolpanel).

> > > > That's what the review/scan process is for.
> > > > If you request a review of your site BEFORE it is cleaned, and it still
> > > > has malware on it when they re-scan it, it adds a bucket load of time
> > > > until you get removed from the list.

> > > > There is a separate link for checking if your site is listed in the
> > > > database (or clearinghouse as they call it)http://stopbadware.org/home/reportsearch-Hidequoted text -

> > > - Show quoted text -- Hide quoted text -

> - Show quoted text -

> This monring I had the opportunity to see some nasty stuff  on a site
> I'd have never expecetd to fall prey to this. A Wordpress blog, a
> nasty script was added in that ended up inserting an iframe with a bad
> site in it, that downloads viruses or whatever (Googled for it and it
> turns out it's part of some Russian ring of badware spreaders). It
> fortunately never made it into Google's badware list, it was caught
> early.

> It got cleaned up aparently fully and the software updated, but we
> don't know how it happened in the first place and there's always the
> lingering fear of a server exploit not just an application
> vulnerability.

> Not my server luckily, but a blog on a very highly ranked site.

> On Dec 7, 8:30 pm, a-ok-site <a.ok.s...@gmail.com> wrote:

> > Christina,

> > I will give it a whirl and see how it works.  I will post the results
> > when I have something.

> > Daniel

> > On Dec 7, 6:58 pm, webado <web...@gmail.com> wrote:

> > > There's also the McAffe Site Advisor that can do some similar stuff -
> > > not sure how that works though. I installd their toolbar, but can't
> > > say I've seen anything conclusive anywhere.

> > > On Dec 7, 7:47 pm, a-ok-site <a.ok.s...@gmail.com> wrote:

> > > > Chris,

> > > > Thanks for the great info!

> > > > My main concern is that I was using standard ftp and while uploading
> > > > files and I had several worms try to attack my computer, but now I am
> > > > using secure ftp and have had no more problems on my side.  I am not
> > > > sure that it was ever a problem on the server side, and I really don't
> > > > think the site is compromised, but one can never be to careful.

> > > > Daniel

> > > > On Dec 7, 6:36 pm, Chris Wright <chris.a.wri...@gmail.com> wrote:

> > > > > a-ok-site wrote:
> > > > > > Chris,

> > > > > > I joined the StopBadWare group and looked around some, but I am a
> > > > > > little confused about getting a StopBadware.org review/scan of my
> > > > > > site.  Is it only for flagged sites or can it be used to make sure
> > > > > > that a site is and remains clean?

> > > > > It's only for flagged sites.
> > > > > They maintain a list of sites populated with data from Google and other
> > > > > trusted sources (but I suspect mainly Google).
> > > > > The good thing is that if your sites not listed, it's not probably
> > > > > compromised.
> > > > > (I say probably because there is always a lag between a Google listing,
> > > > > and a StopBadWare listing).
> > > > > But trust me, if you had malware on your site, you'd probably know by now...

> > > > > You only need to do a scan/review of your site, once you have been
> > > > > reported as having malware on your site.
> > > > > i.e.
> > > > > you get listed at SBA or Google
> > > > > you then clean your site
> > > > > ensure your site is clean
> > > > > close the door to the attackers
> > > > > then request a review at SBA (and maybe via your Google Webmasters
> > > > > Toolpanel).

> > > > > That's what the review/scan process is for.
> > > > > If you request a review of your site BEFORE it is cleaned, and it still
> > > > > has malware on it when they re-scan it, it adds a bucket load of time
> > > > > until you get removed from the list.

> > > > > There is a separate link for checking if your site is listed in the
> > > > > database (or clearinghouse as they call it)http://stopbadware.org/home/reportsearch-Hidequotedtext -

> > > > - Show quoted text -- Hide quoted text -

> > - Show quoted text -

> McAfee has more sites listed that carry "Phishing" and actually host
> "malware" type files, or those that encourage pop-ups> This monring I had the opportunity to see some nasty stuff  on a site
> > I'd have never expecetd to fall prey to this. A Wordpress blog, a
> > nasty script was added in that ended up inserting an iframe with a bad
> > site in it, that downloads viruses or whatever (Googled for it and it
> > turns out it's part of some Russian ring of badware spreaders). It
> > fortunately never made it into Google's badware list, it was caught
> > early.

> I have a bucket load of sites on ipower which got compromised at the
> root level, i.e. when they gained access to one account on a shared
> server, they gained access to the whole server and all accounts.

> Ipower got on the ball fairly quickly and #1 closed the door, #2 cleaned
> up most of the sites without the users even being aware of it, #3
> tightened up security scripts pretty damn good.
> On the shared hosting accounts I manage now, they are packed with
> attempts at hacking the accounts again.> It got cleaned up aparently fully and the software updated, but we
> > don't know how it happened in the first place and there's always the
> > lingering fear of a server exploit not just an application
> > vulnerability.

> More than like it was an RFI (Remote File Inclusion) attack, and just as
> likely part of the MPACK attacks.> Not my server luckily, but a blog on a very highly ranked site.

> One of the very first things I do on an install of a blog/forum or
> similar type of OS is to do a mass search and replace for

> name version x-xx   (i.e. phpBB 1.2.3.4 or MT 1.2 or WordPress 4.3.2.1)
> and replace it with something else.

> If a vulnerability gets released for phpBB 4.3.2.1, all the malware guys
> need to do is use Google to search for "phpBB 4.3.2.1" and they have a
> nice handy list of sites to attack first.
> Even if you just remove the version numbers from any software you
> install on your sites, you cut your risks down.

> Quite recently a very large bank in India itself became hacked using
> MPACK and infected every page of the site with a hidden script that
> tried to attack multiple vulnerabilities in the visitors browser (not
> just Internet Explorer either).
> Using Firefox because it's safer is no longer true these days.  Using
> Firefox with the NoScript addon is almost essential.
> And you can't rely on using Firefox to view your site to see if its been
> hacked, because some of the malware check for IP's / Browser versions to
> see who is looking (to hide from Google et al).

> No one is safe these days...

> As for me I rely on my own hoster to know what they are doing at least
> server-wide security-wise. They are pretty paranoid about it to the
> point we can't even run phpinfo any more, and esepcially any phpbb
> forum instalaltion gets disabled automaticlaly if it's not been
> updated in a timely manner soon after a new version is available -
> LOL

> My own applications I try to keep updated. I know about  removing
> version numbers, and luckily phpbb, coppermine and others already do
> it now.
> Personally I don't allow user input to blogs, period. No comments, I
> originally disallowed that because I had no intention of letting
> anyone with an axe to grind express themselves, nor be spammed. Wasn't
> even thinking of exploits at the time.
> Forums and guestbooks, well keeping them uptodate and not letting them
> be indexed by search engines helps.
> My email forms are pretty darn tight, no uploads allowed, no html (nor
> any kind of js or php code), no extra headers (all sanitized). Boring
> stuff.
> Not using any of the typical ones like  formail or such. Strictly
> handcoded, specific to my need. Captcha.
> Bite my tongue LOL

> Of course I have little control over my clients, unless I keep
> checking what they have and use and how,  consequently some have been
> hacked, but just their sites, all contained.

> A real PITA.

> On Dec 8, 3:19 am, Chris Wright <chris.a.wri...@gmail.com> wrote:

> > webado wrote:
> > > I don't know, like I said McAffee never returned a conclusive report
> > > on a site that had been reported to have badware and was apparently
> > > all cleaned up, so I suspect the human reporting is stronger and
> > > longer lasting than human verification there.

> > McAfee has more sites listed that carry "Phishing" and actually host
> > "malware" type files, or those that encourage pop-ups> This monring I had the opportunity to see some nasty stuff  on a site
> > > I'd have never expecetd to fall prey to this. A Wordpress blog, a
> > > nasty script was added in that ended up inserting an iframe with a bad
> > > site in it, that downloads viruses or whatever (Googled for it and it
> > > turns out it's part of some Russian ring of badware spreaders). It
> > > fortunately never made it into Google's badware list, it was caught
> > > early.

> > I have a bucket load of sites on ipower which got compromised at the
> > root level, i.e. when they gained access to one account on a shared
> > server, they gained access to the whole server and all accounts.

> > Ipower got on the ball fairly quickly and #1 closed the door, #2 cleaned
> > up most of the sites without the users even being aware of it, #3
> > tightened up security scripts pretty damn good.
> > On the shared hosting accounts I manage now, they are packed with
> > attempts at hacking the accounts again.> It got cleaned up aparently fully and the software updated, but we
> > > don't know how it happened in the first place and there's always the
> > > lingering fear of a server exploit not just an application
> > > vulnerability.

> > More than like it was an RFI (Remote File Inclusion) attack, and just as
> > likely part of the MPACK attacks.> Not my server luckily, but a blog on a very highly ranked site.

> > One of the very first things I do on an install of a blog/forum or
> > similar type of OS is to do a mass search and replace for

> > name version x-xx   (i.e. phpBB 1.2.3.4 or MT 1.2 or WordPress 4.3.2.1)
> > and replace it with something else.

> > If a vulnerability gets released for phpBB 4.3.2.1, all the malware guys
> > need to do is use Google to search for "phpBB 4.3.2.1" and they have a
> > nice handy list of sites to attack first.
> > Even if you just remove the version numbers from any software you
> > install on your sites, you cut your risks down.

> > Quite recently a very large bank in India itself became hacked using
> > MPACK and infected every page of the site with a hidden script that
> > tried to attack multiple vulnerabilities in the visitors browser (not
> > just Internet Explorer either).
> > Using Firefox because it's safer is no longer true these days.  Using
> > Firefox with the NoScript addon is almost essential.
> > And you can't rely on using Firefox to view your site to see if its been
> > hacked, because some of the malware check for IP's / Browser versions to
> > see who is looking (to hide from Google et al).

> > No one is safe these days...

> Can you approve me again hopefully for the last time. I think I like
> this profile....lol.

> Daniel

> On Dec 8 2007, 11:33 am, webado <web...@gmail.com> wrote:

> > Oh I know. But as I said, that was not my server, not my client.
> > Hopefully they know what they are doing, at least now after having
> > been hacked.

> > As for me I rely on my own hoster to know what they are doing at least
> > server-wide security-wise. They are pretty paranoid about it to the
> > point we can't even run phpinfo any more, and esepcially any phpbb
> > forum instalaltion gets disabled automaticlaly if it's not been
> > updated in a timely manner soon after a new version is available -
> > LOL

> > My own applications I try to keep updated. I know about  removing
> > version numbers, and luckily phpbb, coppermine and others already do
> > it now.
> > Personally I don't allow user input to blogs, period. No comments, I
> > originally disallowed that because I had no intention of letting
> > anyone with an axe to grind express themselves, nor be spammed. Wasn't
> > even thinking of exploits at the time.
> > Forums and guestbooks, well keeping them uptodate and not letting them
> > be indexed by search engines helps.
> > My email forms are pretty darn tight, no uploads allowed, no html (nor
> > any kind of js or php code), no extra headers (all sanitized). Boring
> > stuff.
> > Not using any of the typical ones like  formail or such. Strictly
> > handcoded, specific to my need. Captcha.
> > Bite my tongue LOL

> > Of course I have little control over my clients, unless I keep
> > checking what they have and use and how,  consequently some have been
> > hacked, but just their sites, all contained.

> > A real PITA.

> > On Dec 8, 3:19 am, Chris Wright <chris.a.wri...@gmail.com> wrote:

> > > webado wrote:
> > > > I don't know, like I said McAffee never returned a conclusive report
> > > > on a site that had been reported to have badware and was apparently
> > > > all cleaned up, so I suspect the human reporting is stronger and
> > > > longer lasting than human verification there.

> > > McAfee has more sites listed that carry "Phishing" and actually host
> > > "malware" type files, or those that encourage pop-ups> This monring I had the opportunity to see some nasty stuff  on a site
> > > > I'd have never expecetd to fall prey to this. A Wordpress blog, a
> > > > nasty script was added in that ended up inserting an iframe with a bad
> > > > site in it, that downloads viruses or whatever (Googled for it and it
> > > > turns out it's part of some Russian ring of badware spreaders). It
> > > > fortunately never made it into Google's badware list, it was caught
> > > > early.

> > > I have a bucket load of sites on ipower which got compromised at the
> > > root level, i.e. when they gained access to one account on a shared
> > > server, they gained access to the whole server and all accounts.

> > > Ipower got on the ball fairly quickly and #1 closed the door, #2 cleaned
> > > up most of the sites without the users even being aware of it, #3
> > > tightened up security scripts pretty damn good.
> > > On the shared hosting accounts I manage now, they are packed with
> > > attempts at hacking the accounts again.> It got cleaned up aparently fully and the software updated, but we
> > > > don't know how it happened in the first place and there's always the
> > > > lingering fear of a server exploit not just an application
> > > > vulnerability.

> > > More than like it was an RFI (Remote File Inclusion) attack, and just as
> > > likely part of the MPACK attacks.> Not my server luckily, but a blog on a very highly ranked site.

> > > One of the very first things I do on an install of a blog/forum or
> > > similar type of OS is to do a mass search and replace for

> > > name version x-xx   (i.e. phpBB 1.2.3.4 or MT 1.2 or WordPress 4.3.2.1)
> > > and replace it with something else.

> > > If a vulnerability gets released for phpBB 4.3.2.1, all the malware guys
> > > need to do is use Google to search for "phpBB 4.3.2.1" and they have a
> > > nice handy list of sites to attack first.
> > > Even if you just remove the version numbers from any software you
> > > install on your sites, you cut your risks down.

> > > Quite recently a very large bank in India itself became hacked using
> > > MPACK and infected every page of the site with a hidden script that
> > > tried to attack multiple vulnerabilities in the visitors browser (not
> > > just Internet Explorer either).
> > > Using Firefox because it's safer is no longer true these days.  Using
> > > Firefox with the NoScript addon is almost essential.
> > > And you can't rely on using Firefox to view your site to see if its been
> > > hacked, because some of the malware check for IP's / Browser versions to
> > > see who is looking (to hide from Google et al).

> > > No one is safe these days...- Hide quoted text -

> - Show quoted text -

> On Jan 28, 8:55 pm, A-OK-SITE <daniel.a.ok.s...@gmail.com> wrote:

> > Christina.

> > Can you approve me again hopefully for the last time. I think I like
> > this profile....lol.

> > Daniel

> > On Dec 8 2007, 11:33 am, webado <web...@gmail.com> wrote:

> > > Oh I know. But as I said, that was not my server, not my client.
> > > Hopefully they know what they are doing, at least now after having
> > > been hacked.

> > > As for me I rely on my own hoster to know what they are doing at least
> > > server-wide security-wise. They are pretty paranoid about it to the
> > > point we can't even run phpinfo any more, and esepcially any phpbb
> > > forum instalaltion gets disabled automaticlaly if it's not been
> > > updated in a timely manner soon after a new version is available -
> > > LOL

> > > My own applications I try to keep updated. I know about  removing
> > > version numbers, and luckily phpbb, coppermine and others already do
> > > it now.
> > > Personally I don't allow user input to blogs, period. No comments, I
> > > originally disallowed that because I had no intention of letting
> > > anyone with an axe to grind express themselves, nor be spammed. Wasn't
> > > even thinking of exploits at the time.
> > > Forums and guestbooks, well keeping them uptodate and not letting them
> > > be indexed by search engines helps.
> > > My email forms are pretty darn tight, no uploads allowed, no html (nor
> > > any kind of js or php code), no extra headers (all sanitized). Boring
> > > stuff.
> > > Not using any of the typical ones like  formail or such. Strictly
> > > handcoded, specific to my need. Captcha.
> > > Bite my tongue LOL

> > > Of course I have little control over my clients, unless I keep
> > > checking what they have and use and how,  consequently some have been
> > > hacked, but just their sites, all contained.

> > > A real PITA.

> > > On Dec 8, 3:19 am, Chris Wright <chris.a.wri...@gmail.com> wrote:

> > > > webado wrote:
> > > > > I don't know, like I said McAffee never returned a conclusive report
> > > > > on a site that had been reported to have badware and was apparently
> > > > > all cleaned up, so I suspect the human reporting is stronger and
> > > > > longer lasting than human verification there.

> > > > McAfee has more sites listed that carry "Phishing" and actually host
> > > > "malware" type files, or those that encourage pop-ups> This monring I had the opportunity to see some nasty stuff  on a site
> > > > > I'd have never expecetd to fall prey to this. A Wordpress blog, a
> > > > > nasty script was added in that ended up inserting an iframe with a bad
> > > > > site in it, that downloads viruses or whatever (Googled for it and it
> > > > > turns out it's part of some Russian ring of badware spreaders). It
> > > > > fortunately never made it into Google's badware list, it was caught
> > > > > early.

> > > > I have a bucket load of sites on ipower which got compromised at the
> > > > root level, i.e. when they gained access to one account on a shared
> > > > server, they gained access to the whole server and all accounts.

> > > > Ipower got on the ball fairly quickly and #1 closed the door, #2 cleaned
> > > > up most of the sites without the users even being aware of it, #3
> > > > tightened up security scripts pretty damn good.
> > > > On the shared hosting accounts I manage now, they are packed with
> > > > attempts at hacking the accounts again.> It got cleaned up aparently fully and the software updated, but we
> > > > > don't know how it happened in the first place and there's always the
> > > > > lingering fear of a server exploit not just an application
> > > > > vulnerability.

> > > > More than like it was an RFI (Remote File Inclusion) attack, and just as
> > > > likely part of the MPACK attacks.> Not my server luckily, but a blog on a very highly ranked site.

> > > > One of the very first things I do on an install of a blog/forum or
> > > > similar type of OS is to do a mass search and replace for

> > > > name version x-xx   (i.e. phpBB 1.2.3.4 or MT 1.2 or WordPress 4.3.2.1)
> > > > and replace it with something else.

> > > > If a vulnerability gets released for phpBB 4.3.2.1, all the malware guys
> > > > need to do is use Google to search for "phpBB 4.3.2.1" and they have a
> > > > nice handy list of sites to attack first.
> > > > Even if you just remove the version numbers from any software you
> > > > install on your sites, you cut your risks down.

> > > > Quite recently a very large bank in India itself became hacked using
> > > > MPACK and infected every page of the site with a hidden script that
> > > > tried to attack multiple vulnerabilities in the visitors browser (not
> > > > just Internet Explorer either).
> > > > Using Firefox because it's safer is no longer true these days.  Using
> > > > Firefox with the NoScript addon is almost essential.
> > > > And you can't rely on using Firefox to view your site to see if its been
> > > > hacked, because some of the malware check for IP's / Browser versions to
> > > > see who is looking (to hide from Google et al).

> > > > No one is safe these days...- Hide quoted text -

> > - Show quoted text -