On Thu, 3 Mar 2005 00:11:26 -0500, Chris Strzelczyk <cstrzelczyk@xxxxxxxxxxxxxxxxxxx> wrote: > > On Mar 3, 2005, at 12:11 AM, Thomas Cameron wrote: > > > > > <snip> > > > > Look in /var/tmp - anything there called aVe or uselib24 or bots.txt? > > Also, look in your /var/log/httpd area for anything weird in access_log > > or error_log. > > Yes, I did have a couple of PERL programs in /var/tmp. One was called > https and it is attached. > As far as I understand this vulnerability it is limited to the user > Apache is run by correct? > The key question is "As far as I understand this vulnerability it is limited to the user Apache is run by correct?" The answer is you don't know how far they went. Once you have local access then you can use a second exploit to get root access, or attack another system using the owned system. If the user apache was not configured properly then they may have been able to steal the shadow file and crack your passwords. Please do everyone a favor, if you have not already done this. Pull the plug, yes I mean this and I mean right now. Don't power it back up until you have the CD's to reload it, without a network connection. You have seen the rest in other posts. May be it will help if you understand that CISSP is Certified Information Systems Security Professional and requires a minimum of 2 years experience and passing a 6 hour exam. In other words I'm not just making this up. -- Leonard Isham, CISSP Ostendo non ostento.
