Izak Burger schrieb:
On Mon, Jun 1, 2009 at 12:26 PM, Vladislav Kurz
I agree, chances are the box hasn't been exploited just yet, but I
would be worried about just how he got that file there in the first
place. We know that directory is world writable, so it could have been
written by anything, but what? Sometimes the ownership of the file
will give it away, for example, if the file is owned by www-data, you
know some exploit in apache (usually php!) was used to gain file
system access.
Yes, chances are, that it's just some unsecure script in a webspace. Not
good, but if you are a webservice provider, you always have some special
customer.
I even know companies which buy a cms and don't think of who cares for
it over the time as long as it's running ...
On the other hand, you should keep in mind, that it could be someone who
has gained root provileges and hides some of his activities. If he is
root, then there has to be some other traces left of him.
So you should collect other information:
- lsof and /proc, if you find suspicious processes
- intrusion detection software
- logfile scanning software and manual examining log files including
firewall logs
Good point is, when you can trace times of activity. But always keep in
mind, that the information could be wrong.
--
Guntram Trebs
freier Programmierer und Administrator
g...@trebs.net
+49 (30) 42 80 61 55
+49 (178) 686 77 55
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
