Attached Link: http://forum.daz3d.com/viewtopic.php?t=15162

This was just posted up at DAZ...

*"Hello, everyone. DAZ has asked me to make an explanatory post regarding this issue, since I was contacted to assist their system administration team with the forensics and I located the "root cause" of the intrusion to their server.

Essentially, at 13:09:09, a computer in Brazil connected to the DAZ website and exploited a security vulnerability in a commonly used statistical analysis package for web logs. An exploit existed that would allow a carefully crafted string to write or overwrite a file that the parsing script had permissions to. The attackers used this to create an 'index.html' page on the web server containing the message.

There's no evidence whatsoever to suggest the people responsible had any ability to read any data from the server. Moreover, because of the method used, we have a full log of every command issued, and we have a list of all files that were modified - and the only they thing touched was creating the spurious index.html.

While DAZ takes every security incident seriously, and will be working with the proper authorities to respond to this incident, that even in a much more serious compromise there are actually several more hurdles that would have to be assailed by a would-be attacked to get access to any sensitive information. The credit card information entrusted to DAZ is protected by absolutely draconion security measures and is designed to be inaccessible to anyone - even DAZ employees."* edited to add URL

Message edited on: 02/16/2005 18:49