> > On Fri, 18 Feb 2005 paul@xxxxxxxxxxxxxxxxxxx wrote: > >> In replace of FTP what would you suggest. That is the only clear text >> password service I allow. So what else can I use in replace of that. >> >> And shell access is denied for all accounts. except for 2. >> >> I get the feeling this came in on awstats all though I'm not 100% >> positive >> and I'm wanting to find out how it got in first before I just delete and >> restart over again. > > The only time I've had a linux box compromised, it came in via a poorly > configured ftp. What ftp server are you using ? I had a wu-ftp (IIRC) > online for about 20 minutes and a rootkit was installed in that time. > > Cheers, > > Al > > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list > I have vsftpd. Actually I found the hole. It was on a phpbb board version 2.0.6. This isn't my board but a friends. I just host it for him. There is a script that is installed in the tmp directory which is than run with perl. If I look in my apache logs I can see this long GET string. So I'm gonna reinstall everything. I also found a way to make the tmp directory no executable That way even if a script in the future is installed in that directory. It won't be able to run.
