Kk, here is what I've got so far:
My system seems to be infected by some kind of trojan/worm/virus called
Unix/Hacktop, wich does (for what I'm seeing) some kind of scanport via
ssh (22).
I found some related info saying that the intruder could be using a
security flaw from AWSTATS + Apache to get a valid root bash session
over port 80.
Now the intruder created a few files, infected some others and is using
this scanport. I stopped the scanport by blocking the output of ssh in
my iptables and could be able to erase some virus related files.
Now I want to know just 2 things:
First, how can I be sure that it all happened because of the awstats
security flaw?
Second, how could I completely remove this Unix/Hacktop from my system
(Linux RedHat9 k2.4) ?
PS: I know that the second question doesn't have nothing to do with the
httpd list at all, but if someone could plz help me, I would be really
thankful! :)
Best Regards,
Anderson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
