Asterisk were recently called in to assist a Not-for-profit in responding to a website defacement security incident. Initially it was suspected that there must be some vulnerable web application code on the website, perhaps via an un-patched web forum, or old, archived copies of an out of date forum. Of course when you start looking through the web logs and you can’t see anything obvious that’s when you have to widen your net.
So naturally we checked out the FTP logs, and voila, a number of uploads from an IP from Monaco, placing numerous .php files in numerous folders. This IP address logged into the FTP account using the primary FTP account holder’s username, which we knew had a really complicated (read: 12+ characters with a mix of upper, lower and symbols) password. After confirming with the client that they stored these credentials in FTP client software on a few computers, the next avenue of investigation was that they’d had their one of their PCs compromised… and there was the root cause.
Whilst this isn’t that uncommon these days, it’s certainly something to consider when you’re responding to website defacement incidents.
Doing a bit of research now on the IP address you can also see that this attacker went after quite a few sites.. http://www.ipillion.com/ip/126.96.36.199