On Fri, 2005-02-18 at 18:45 -0800, paul@xxxxxxxxxxxxxxxxxxx wrote: > > > > On Fri, 18 Feb 2005 paul@xxxxxxxxxxxxxxxxxxx wrote: > > > >> In replace of FTP what would you suggest. That is the only clear text > >> password service I allow. So what else can I use in replace of that. > >> > >> And shell access is denied for all accounts. except for 2. > >> > >> I get the feeling this came in on awstats all though I'm not 100% > >> positive > >> and I'm wanting to find out how it got in first before I just delete and > >> restart over again. > > > > The only time I've had a linux box compromised, it came in via a poorly > > configured ftp. What ftp server are you using ? I had a wu-ftp (IIRC) > > online for about 20 minutes and a rootkit was installed in that time. > > > > Cheers, > > > > Al > > > > > > -- > > fedora-list mailing list > > fedora-list@xxxxxxxxxx > > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list > > > > > I have vsftpd. > > Actually I found the hole. > > It was on a phpbb board version 2.0.6. This isn't my board but a friends. > I just host it for him. There is a script that is installed in the tmp > directory which is than run with perl. If I look in my apache logs I can > see this long GET string. > there is a know hole in phpBB. Make sure you have the updated code and not the vulnerable one. > So I'm gonna reinstall everything. > > I also found a way to make the tmp directory no executable That way even > if a script in the future is installed in that directory. It won't be > able to run. > >
