On Jun 27, 2012, at 10:10 AM, Ryan Rawdon wrote: > > > On Jun 27, 2012, at 9:26 AM, Jason Hellenthal wrote: > >> >> What would be nice is the to see the contents of the htaccess file >> (obviously with sensitive information excluded) > > > I cleaned up compromises similar to this in a customer site fairly recently. > In our case it was the same exact behavior but was php injected into their > application, instead of .htaccess. I do not recall what the original > compromise vector was, it was something in the customer's custom application > which they resolved. > > It looked like the malware did a find and replace for <?php and replaced it > with: > >
<snipped> http://r.u13.net/permatemp/forefront.png My message may have gotten caught as spam/malicious by filters. Not sure if it caught the base64 or plaintext so I snipped both. You can view my original message in the archives at http://mailman.nanog.org/pipermail/nanog/2012-June/049612.html > > > > (where brugge.osa.pl was the destination for the redirects in the compromise > of this customer site) > > > >> >> On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote: >>> >>>> <snip> >>> >> >> -- >> >> - (2^(N-1)) >> > >
