sbeam pisze:
On Tuesday 12 August 2008 09:08, Mr Shunz wrote:
maybe you should check with "lsof -p 3041" and see which files/pipes it
uses to have a clue.
of course! <slap>
it's a perl w0rm that was uploaded last night, now killed. Now to determine
how it got in.
I found some output in the main apache error log that looks like wget was used
to download a shellbot. But I can't figure out how wget was called, may be
some PHP exec() call that is unchecked.
But I can't find it on the system yet or the data files it uses.
chkrootkit says all is clear.
mod_security is now being installed, belatedly. This server has only been up 1
week, sheesh.
thanks
Sam
PS here is the link to the shellbot that was used, in case anyone is curious.
I break up the URL to protect the innocent:
http://usua<BREAK>rios.lycos.es/<BREAK>w0rms/info.txt
have searched it and don't find anything special on the main security sites.
Is it new?
Hm. And what about selinux and httpd ? Selinux is securing httpd from
this attacks, right ? Selinux was disabled ?
Irek
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
