New exploit in Apache and FC3?
Michael A. Peters
mpeters at mac.com
Mon Jun 27 02:24:00 UTC 2005
On Sun, 2005-06-26 at 22:09 -0400, Mailing List Receiver wrote:
> Ever since we found and stopped a phishing site that had been planted
> on our server to run as the default site under Apache, we have been under
> constant attack. Presumably, the perpretrators did not appreciate that
> we made their millions of scam emails ineffective.
>
> So, today I just happen to get a feeling that I should check for rootkits.
> Sure enough, someone had a listener at port 3049 and lsof showed the owner
> as being Apache. More investigation shows the following in /tmp
*snip*
I'd be more inclined to guess that there actually is a hole in a web app
you are running - you are a hosting service, correct?
A lot of hacks are done through insecure hosting software - maybe cpanel
or something like that.
More information about the users
mailing list