Hi friends,
about two weeks ago, I caught a Trojan from somewhere.
McAfee detected it and removed it, no prob - I thought...
As it had detected multiple version of it, which kept popping in, I unplugged the network wire, restarted, HijackThissed, Spybotted, cleared my cache & temp files, you know: the usual jazz.
I also installed an additional software firewall and screwed McAfees security settings up to maximum.
Since then, all's clear; so far, so good.
Two days later however, my jaw dropped when my ftp log files told me that my ftp (running on a dedicated server) had been compromised - using MY logins, and my website "adorned" with a nice, hidden iframe...
I closed the ftp service, changed all logins, checked the server (was clean) and restored the website by completely wiping the entire root and uploading my latest, clean package.
Since then, the hacker has returned 6 times so far, trying to get back into my ftp.
Alas, my log files show him with up to 18 different IPs on each try, located in USA, Canada, France, Sweden...
So I don't have a chance to identify him.
Do I?
That's my big question now: at the moment, that bastard does not get in and cannot do any harm. But he does keep trying and you know Murphy's Law: one day he might find a loophole somewhere...
I also don't want him to have a chance to bombard my server with requests until DoS...
Do I have any chance to find out the true origin of these attacks?
I'm already running Peer Guardian on my server now, but the history of PG does not show anything conspicuous at the time of his last attempt, which was yesterday evening.
I would greatly appreciate any advice you can give me.
I want to nail that rat!
Thanks!
MakeItSo
[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell
about two weeks ago, I caught a Trojan from somewhere.
McAfee detected it and removed it, no prob - I thought...
As it had detected multiple version of it, which kept popping in, I unplugged the network wire, restarted, HijackThissed, Spybotted, cleared my cache & temp files, you know: the usual jazz.
I also installed an additional software firewall and screwed McAfees security settings up to maximum.
Since then, all's clear; so far, so good.
Two days later however, my jaw dropped when my ftp log files told me that my ftp (running on a dedicated server) had been compromised - using MY logins, and my website "adorned" with a nice, hidden iframe...
I closed the ftp service, changed all logins, checked the server (was clean) and restored the website by completely wiping the entire root and uploading my latest, clean package.
Since then, the hacker has returned 6 times so far, trying to get back into my ftp.
Alas, my log files show him with up to 18 different IPs on each try, located in USA, Canada, France, Sweden...
So I don't have a chance to identify him.
Do I?
That's my big question now: at the moment, that bastard does not get in and cannot do any harm. But he does keep trying and you know Murphy's Law: one day he might find a loophole somewhere...
I also don't want him to have a chance to bombard my server with requests until DoS...
Do I have any chance to find out the true origin of these attacks?
I'm already running Peer Guardian on my server now, but the history of PG does not show anything conspicuous at the time of his last attempt, which was yesterday evening.
I would greatly appreciate any advice you can give me.
I want to nail that rat!
Thanks!
MakeItSo
[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell