On Thu, 2005-03-03 at 00:11 -0500, Chris Strzelczyk wrote: > On Mar 3, 2005, at 12:11 AM, Thomas Cameron wrote: > > > > > <snip> > > > > Look in /var/tmp - anything there called aVe or uselib24 or bots.txt? > > Also, look in your /var/log/httpd area for anything weird in access_log > > or error_log. > > Yes, I did have a couple of PERL programs in /var/tmp. One was called > https and it is attached. > As far as I understand this vulnerability it is limited to the user > Apache is run by correct? You don't say which distribution this web server was running, but I suspect that if your Apache had been running under SELinux then the attacker would not have been able to run any scripts from /tmp or /var/tmp. So, when you rebuild the server, it would be well worth considering using SELinux. Paul. -- Paul Howarth <paul@xxxxxxxxxxxx>
