Am Do, den 03.03.2005 schrieb Chris Strzelczyk um 0:29: > Sorry for the long posts I didn't know if attachments were allowed or > frowned upon. Now that I have > been given the rules I will obey them. Small attachments like configuration files are allowed. Just don't reply by presenting your new content above the the mail content you reply to. Quote whats needed to understand your new contribution and strip off the rest. Place the reply text below the quote. Thanks :) > I do not have users on the system which are at all capable of something > like this. This server runs sendmail, httpd, > named, ftp, mysql (not accessible from outside yet), pop3, squrrelmail > (dovecot imap). > > I will start by looking at all those for recent security postings. > Since the program in /tmp was owned by apache:apache I would > imagine that the intruder used httpd to preform their exploit. That is > where I'm at so far. > -cs See Dave's and Leonard's replies. Your system is owned! :( And as it looks it is the worm / trojan known to come in by weak phpBB installs. I would heavily appreciate if you would us all inform how that could happen. You always installed security updates quickly? Do you have something running with Apache which can be misused? When the phpBB worm info came in through bugtraq I installed mod_security to disallow specific things. It is a nice add-on for Apache (1.3 and 2.0). I use it to restrict those ways the phpBB worm comes in as some of my users use that forum software. http://www.modsecurity.org/ is though more general and not a phpBB protection tool. Worth to have a look at it. Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.10-1.14_FC2smp Serendipity 00:53:35 up 9 days, 12:02, load average: 0.32, 0.33, 0.33
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
