> > On Wed, 2002-09-18 at 06:05, Michael Renzmann wrote: > > > "killall .bugtraq" would be suitable as well, and it would "destroy" > > > every other instance of the program that is running currently. Even if > > > detecting the current PPID does not work for whatever reason. > > *chuckle*
Unrelated to the previous post, but related to the thread, just FWIW (by someone who has seen hundreds of slapper infections in the past week) there are now several names for the process/files: .bugtraq update (a backdoor) .cinic (.cinik? cant remember) k look for others.. I found k in /var/tmp/.../ so .tmp is not the only place to check.. anywhere writeable by the user that apache is running as. I've also seen a couple versions which included psybnc or something similar (a little app that allows a windows luser to bounce their irc connection off of the server, thereby hiding their identity). Hope this is helpful :) -Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
