I have a checksumming software – I use Mandriva’s msec, but it does not monitor the hosted websites, because files change there all the time (as people updated their websites), so I didn’t get a notification for that. My first clue was Avi’s email that he sent after checking my site and seeing that it was defaced. As the attackers didn’t do anything to my site other then put in an index.html, and as the bookmark I use to go to my site is directly to the blog, there would have been no other way for me to notice the problem.

After I identified the attack vector as the FTP access (I checked SSH and couldn’t find problems, and FTP was next), I looked in the logs for files that were recently uploaded to the compromised accounts, and just removed everything I found. I was lucky because I never use FTP to upload files to the site (only file transfers over SSH) and the second account is not very active – its a commercial website that doesn’t update often, so it was easy to identify malicious files. Once I got the files that were uploaded, I could analyze them – some were harmless HTML files, others were less harmless. The rootkit wasn’t successfully installed – I found the C file for the exploit that was uploaded by the attackers, but the attacker never managed to actually run the exploit.

Anyway – I was too early to rejoice. Apparently I didn’t block entirely enough of the attacker’s usable IP range, and worse – changing the password didn’t prevent them from logging in again, and so my website was targeted again – this time a phishing scam website was uploaded. I now blocked the attackers entire ISP and I need to figure out how they gain FTP access, ASAP.