On Wed, 2 Mar 2005 18:12:05 -0500, Chris Strzelczyk <cstrzelczyk@xxxxxxxxxxxxxxxxxxx> wrote: > Alright well not it's certain I have a friend on my system. I have > found this file named "https" on my > system in /tmp > > I'm not as PERL savy as I want to be but it does open IRC on the > server. The file is owned by apache:apache. So it > looks like my friend is using Apache as a tool. Would anybody have a > clue on how he could get this in tmp and then run it? > The file was not set executable either. > [snip] You have been owned. You don't know the extent or how the intrusion happened. Any ID and password on that system can be considered compromised. The system could have been used as a stepping stone to get to other systems. The only safe bet is to save your content (review it to make sure it was not compromised), and reload the server. Lock it down including limiting the daemons running and secure those. Change passwords to strong passwords on all accounts on all systems. Lock down your perimeter. This could turn into a book, but this is what I recommend to start with. Reload and secure your system -- Leonard Isham, CISSP Ostendo non ostento.
