Using lsof to look through weird files, is useful too.
dan wrote:
Eben Goodman wrote:
I recently had an irc exploit on my server running this eggdrop relay
thing via apache. I was able to find the offending files and remove
them and the eggdrop processes went away for awhile, but now they
I recently had an irc exploit on my server running this eggdrop relay
thing via apache. I was able to find the offending files and remove
them and the eggdrop processes went away for awhile, but now they are
back and try as I might I can't find any files that correspond to this
software.
On Mon, 6 Jun 2005, Eben Goodman wrote:
If you're doing multi-hosting, look into suexec. the fact that it runs
CGI's as the user is kinda secondary to the fact that it shows you WHICH
user uploaded the insecure script.
For PHP scripts, I've had good luck running suPHP (which is not an
On Mon, 6 Jun 2005, Eben Goodman wrote:
find / -user apache -print
-Dan
I actually know which user it got through on, it came in through an insecure
php nuke application. I have since removed the nuke app, but the damage
appears to be done, since this eggdrop crap is still running on the
