On 4 Jan 2006, at 16:05, eric wrote:
>> I have some suspect files in /tmp, and I'm fairly sure that they
>> shouldn't be there. Only thing I can't twig is what method the
>> attackers used to get the files into that directory. The files are:
>
> Is this doing any A/V scanning? You have told us nothign about the
> host in
> question: is it an email gateway? DNS server? etc.
It runs:
- qmail/spamassassin-spamd/openbsd-spamd/rblsmtpd
- stock apache/php 4.3.8
It does no AV scanning above and beyond what SpamAssassin provides.
It does not run any DNS services. I outlined my reasons why I
thought it was a php/cgi script problem, being that the messages were
found in the default httpd error logs.
Finally, here is a dmesg (thanks Josh :-)
OpenBSD 3.6 (GENERIC.MP) #173: Fri Sep 17 12:52:31 MDT 2004
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium III ("GenuineIntel" 686-class) 601 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
MMX,FXSR,SSE
real mem = 1073324032 (1048168K)
avail mem = 972726272 (949928K)
using 4278 buffers containing 53768192 bytes (52508K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 07/15/99, BIOS32 rev. 0 @
0xfdb50
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: PCI BIOS has 8 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371AB PIIX4 ISA"
rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x8000
mainbus0: Intel MP Specification (Version 1.1) (INTEL 440GX )
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 100 MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel Pentium III ("GenuineIntel" 686-class) 601 MHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
SER,MMX,FXSR,SSE
mainbus0: bus 0 is type PCI
mainbus0: bus 1 is type PCI
mainbus0: bus 2 is type ISA
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 11, 24 pins
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <ST380011A>
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd1 at pciide0 channel 0 drive 1: <IBM-DPTA-372050>
wd1: 16-sector PIO, LBA, 19574MB, 40088160 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: apic 2
int 19 (irq 11)
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power Mgmt" rev 0x02 at pci0 dev 7 function 3 not
configured
vga1 at pci0 dev 17 function 0 "ATI Mach64 GP" rev 0x5c
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
xl0 at pci0 dev 18 function 0 "3Com 3c905B 100Base-TX" rev 0x30: apic
2 int 18 (irq 9), address 00:50:04:6a:2f:19
exphy0 at xl0 phy 24: 3Com internal media interface
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
lm0 at isa0 port 0x290/8: LM79
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask 0 netmask 0 ttymask 0
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
dkcsum: wd1 matched BIOS disk 81
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
WARNING: / was not properly unmounted
apm0: disconnected
Gaby
--
Junkets for bunterish lickspittles since 1998!
http://vanhegan.net/sudoku/
http://weblog.vanhegan.net/
