On Jun 27, 2012, at 10:10 AM, Ryan Rawdon wrote:
On Jun 27, 2012, at 9:26 AM, Jason Hellenthal wrote:
What would be nice is the to see the contents of the htaccess file (obviously with sensitive information excluded)
I cleaned up compromises similar to this in a customer site fairly recently. In our case it was the same exact behavior but was php injected into their application, instead of .htaccess. I do not recall what the original compromise vector was, it was something in the customer's custom application which they resolved.
It looked like the malware did a find and replace for <?php and replaced it with:
<snipped> http://r.u13.net/permatemp/forefront.png My message may have gotten caught as spam/malicious by filters. Not sure if it caught the base64 or plaintext so I snipped both. You can view my original message in the archives at http://mailman.nanog.org/pipermail/nanog/2012-June/049612.html
(where brugge.osa.pl was the destination for the redirects in the compromise of this customer site)
On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
<snip>
--
- (2^(N-1))