The site is slow because we have been hacked.

I logged in and found the following script running: /var/www/vhosts/buffistas.org/cgi-bin/footgear.pl. Modification time of Feb 24.

The script is some kind of DDOS program. I think we have been using a shit-ton of bandwidth the past week or so.

I killed any footgear.pl processes that were running, moved the script out of the way, and made the cgi-bin directory unwritable. It will take me a while to go through the logs to see if I can figure out how they got in.

Yikes!

Good god, Tom. Thanks for catching that.

I am curious about how they got in, too. Our admin password is decently strong--do you think it should be changed?

A cursory google doesn't show me any scriptkiddy sites with that application name or anything, but I don't know all the l33t places to go.

eta: and do you think it's something we should report to iStrata in case that's how they got in, or other customers are compromised?

Wow! Thanks for catching that, Tom.

Looks like they got in through plesk.

Is there a security loophole or exploit that they used? Is our password compromised? Was it our plesk install, or one at a higher level (like iStrata admin, or something?)

And, in fact, I see you, ita, logging into Plesk on Thursday, the 23rd, and then the hacker is able to log in on Friday, the 24th with no failed login attempts. I'm worried that there might be a keylogger on one of your systems, ita.

Edit: Or there could be a security hole in Plesk, and the fact that you logged in the day before was just a coincidence. I'm still looking.

23rd of Feb? Can you email me the IP address that was from? I'm trying to think why I would have logged in. That seems too recent for the vote, and that was the last time I went in, to change the email address for the vote.

Insent.

Thanks. V. confusing. Obviously I can't keep track of when I go in, but keylogged on my Mac? Say it ain't so, Joe. Say it ain't so.