I am just trying to figure out if I have to re-install. It look like
it. Vulnerability in PHP or PHPBB I think.
I found the perl script in /tmp
Or maybe secure /tmp and take the below steps.
Thoughts on this all?
Mark
On Dec 13, 2004, at 5:02 PM, mark@xxxxxxxxx wrote:
I found d0s3.txt in my /tmp dir.
Not sure how it got there. Found this too:
Here is the log file from error_log.1
--19:21:21-- http://@#!@#!@#!@#!yeah.freesuperhost.com/d0s3.txt
=> `d0s3.txt'
Resolving @#!@#!@#!@#!yeah.freesuperhost.com... done.
Connecting to @#!@#!@#!@#!yeah.freesuperhost.com[70.84.229.131]:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 20,419 [text/plain]
0K .......... ......... 100% 74.68 KB/s
19:21:23 (74.68 KB/s) - `d0s3.txt' saved [20419/20419]
Not quite sure how this happened
Mark
Quoting Alexander Dalloz <ad+lists@xxxxxxxxx>:
Am Di, den 14.12.2004 schrieb mark@xxxxxxxxx um 0:00:
When I run: lsof -i |grep perl
I get:
perl 4883 apache 124u IPv4 193039277 TCP
onofmydomains.com:56272->ftp.pqa.com:ircd (ESTABLISHED)
perl 17513 apache 124u IPv4 65252685 TCP
oneofmydomains.com:60371->chobits.ircrev.com:ircd (ESTABLISHED)
So I have a connection to an irc daemon.
You have two of them. Whether they are really irc connections can't be
said from that. The "ircd" comes from /etc/services and so port 6667
is
translated this way. But it is:
Trying 12.5.48.98...
Connected to ftp.pqa.com.
Escape character is '^]'.
:Metallica.USA.GigaChat.net NOTICE AUTH :*** Looking up your
hostname...
:Metallica.USA.GigaChat.net NOTICE AUTH :*** Found your hostname
(cached)
I have grepped the web content directory for ircd and not found
anything.
ps -ef |grep ircd gets nothing.
I can imagine that this does not show something useful. I guess there
are cgi::irc webchat interfaces running. So check the content of
cgi-bin
directories. These webchat things can consume large amounts of
resources.
I also cant seem to locate a perl script that is causing this.
So can anyone offer some help here? How can I check this further.
I want
to
nail down the user ( web user I hope ) that is running this.
So you have users allowed to run things on Apache?
locate irc.cgi
Maybe that shows you quickly the locations where the "bad" things are.
Mark
Alexander
--
Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp
Serendipity 00:46:57 up 3 days, 19:27, load average: 0.48, 0.59, 0.73
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
