I found d0s3.txt in my /tmp dir.
Not sure how it got there. Found this too:
Here is the log file from error_log.1
--19:21:21-- http://@#!@#!@#!@#!yeah.freesuperhost.com/d0s3.txt => `d0s3.txt' Resolving @#!@#!@#!@#!yeah.freesuperhost.com... done. Connecting to @#!@#!@#!@#!yeah.freesuperhost.com[70.84.229.131]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 20,419 [text/plain]
0K .......... ......... 100% 74.68 KB/s
19:21:23 (74.68 KB/s) - `d0s3.txt' saved [20419/20419]
Not quite sure how this happened
Mark
Greetings,
I had the same thing happen. It seems that the vulnerability is due to crappy settings in the default install of PHP. Here's a few things to help prevent it...
1) Write your own custom iptables rules that tightly restrict BOTH incoming and outgoing traffic. Although ports 80 & 443 were open on my server, it wouldn't allow the outgoing connections back to the attacker's control point because it used 6667 which was not explicitly allowed.
2) Change the default upload and session directories for PHP (or turn uploads off if you don't need them)
3) Run PHP in safe mode
4) turn off the ability to include remote files in PHP
5) disable functions like exec, popen, and passthru
Since making these adjustments, I haven't had any further issues with this particular attack. I'm surprised there hasn't been more noise made over this one.
Aloha, Chris
