On Monday 16 April 2007 17:07, Will Parkinson wrote: > Yeah, this sounds like the only safe option i can take at this point, as > there is private data on the server. Although, do you have any idea how > this could have happened? The server is not in house it is hosted by a > third party, who are also investigating this problem, and he seems to > think the system has not been hacked. Reinstalling the system is a good > option at this point, but if i cant find out where this problem > originated, i am leaving myself open for this to happen again.
That would depend upon the installed software and the configuration. You can save a copy of the compromised system and have someone investigate it. There are no guarantees but most likely the attack vector can be determined if the log files are good. If you want to try yourself, check the modified and creation times of the spam script you found in /tmp, and then check through all your logs for unusual activity around that time. Be sure to do this when the disks are mounted read-only noexec in another system - you can't tell anything while you're running in a compromised system. If the logs don't help, you can also try searching for any files or directories that were modified within an hour (or within a day) of the spam script's arrival. You may find more exploits and/or clues that way. Be advised that the original exploit may have been much earlier. A black hat may have gained control of the server and later returned to send spam or simply sold control to a spammer. As for the person who thinks the server was not hacked, how does he account for the existence of the spam script in /tmp? --Mike Bird -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]