John Jacobs wrote: > In my previous experience, including a few vulnerabilities in Roundcube, > I've seen a programmatic scan, exploitation, and then wget/dropping of a > Perl IRC bot. Of course this is all speculation based on previous > experience, I am not looking at lucio's box. The Apache access/error logs > should have the offending log entries and/or any output from the > system()/exec() etc PHP functions. Lucio -- what user was the IRC bot > running under?
www-data > Lucio, I would also recommend subscribing to the Ubuntu Security-Announce > mailing lists which issue the USNs so you are aware of which packages have > been patched and those which require a reboot to effect the changes, such > as Kernel update. hosted vps, the kernel updates are up to the provider. > James you are correct regarding the shell; I would assume /bin/sh would be > pointed to /bin/dash or /bin/bash on a Ubuntu system. I would assume the > user's login shell would be /bin/bash. Ubuntu has bash and dash installed by default, and /bin/sh -> dash, but any user is defaulted to /bin/bash _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/