I'm running a SuSE 9.1 server with Apache 2.0.58 and as of last Thursday
I'm seeing a ton of files created in spots they should be. All created
by wwwrun (the webserver). I'm finding PHP scripts that are blatantly
commented with hacker code, _vti_ directories in sites and this server
doesn't have FP running on it. Cron jobs owned by wwwrun created and I
can see my maching connected to a strange IP on port 22 which is telling
me that my machine has opened a ssh connection with their server.
I'm seeing files that execute PHP Shell 1.7 which allows them to execute
commands via a form.
Has anyone ever run into this kind of problem? I've never really been
hacked like this before and I keep thinking I have it cleaned up but it
doesn't appear that way. One script had this in it: Powered By
#KARTUBEBEN CrEW @ DALnet
I know this maybe be a bit OT but any thoughts or suggestions would be
greatly helpful and appreciated.
Thanks!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
