Quote:
Originally Posted by nate
you say that a lot. why so?
|
There are a few types of exploits that are out there. A web exploit or an FTP exploit are the two most common.
With the FTP exploit, a person's FTP user/password data is compromised and passed off to a cluster of machines. Those machines then go in with the FTP credentials and download every .html and .php file and replace <body> with <body><script exploit code> or <body><iframe exploit code>. Within a few hours, that cluster of servers will have modified as many pages as they can. Other machines in there will try to determine actual usable URLs and will inject remote shells that mimic existing files. You might have DSC003049.jpg in a directory and the exploit server might inject DSC003049.php. Those urls are then cataloged for later attempts at spam & DDOS work.
Most web exploits don't modify dozens of files and usually just inject a script that allows remote access. Usually it is modification of a template or file so that they can later run remote shells or scripts, or, depending on the hole in the application, they may upload files into directories for later use. Not to say that they couldn't modify a number of files, it depends on how the server is set up.
If the host runs setuid or suexec, a compromised web script runs as the same userid as the FTP account and therefore all files can be modified. With FTP, you're almost guaranteed that every file you can see in FTP can be modified. From a return on investment standpoint, with an FTP account you are more likely to have more pages modified. More pages means more surfers potentially exploited which means more zombies/toolbars/etc.
However, the exploit listed above has about a 99% chance of being from an exploited FTP password.