http://www.linux.com/feature/125548
According to cPanel, if you are unable to create a directory name
beginning with a numeral -- as in mkdir 1 -- you're infected. Another
test is to monitor the packets from the server with the following
tcpdump command:
tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
Other than using and safeguarding secure root passwords, not much can
be done at this time to be proactive in preventing servers from being
compromised, so searching techniques similar to the tcpdump command
above, which check to see if a server has already been compromised, is
probably the best course of action available to administrators. We
haven't found a good answer yet for disinfecting compromised servers,
but a complete reinstall of Linux, Apache, and a new root password
would certainly do the trick.
--
Simon Sekidde
gpg: 98A6 8D22 578C FFCE F6F8 FC80 94D4 2451 1E8B 049D
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------
