My server may have been compromised, just posting to see if anyone else with vbull

[sross]

Today I was notified:

> URL: http://mywebsite dot org/pa.htm
> IPv4: 173.xxx.xxx.120
> IPv6: No IPv6
> Time: 2012-09-13T12:18:35+00:00

This file pa.htm is definitely not something I placed on my server, it redirects to some online pharmacy scam site. This is the first time in 10yrs I have encountered something like this. I have the host running some scans to see if anything else can be identified. I can only hope it's a minor issue as so far the site has not been defaced and is running as normal.

Has anyone here encountered such a thing? I'm not 100% sure how to proceed but will be working closely with my host over the next hours.

[borbole]

That points to the server being compromised for that file to get uploaded in your server space. Your server should be able to tell you more about it by checking their access logs.

[sross]

Having gone through most everything (which is like trying to find a needle in a haystack) I can't seem to locate how it happened. It does have the feel of a user account level breach as no one touched root or ftp other then my own ip address. I suspect some automated tool found a flaw in an old plugin or such then went to work, it managed to get the file in the directory and probably wanted to redirect all traffic to that file but could not get any further. I spent the day looking for any other changes, my rsync to off site logs show that file as the only new addition or change to my file system. Host found no indication of root access or access by any ip address other than mine and theirs. Since the incident no new files have appeared. I removed 2 domains off the server running lesser known scripts, i updated an old tapatalk. Today I plan to target and remove any old or uneeded plugins. One question, if a plugin is disabled can it still be vulnerable? Thanks

[Lynne]

Are you on shared hosting? It could be you were compromised through another site.