On Wed, 2005-03-02 at 18:12 -0500, Chris Strzelczyk wrote: > Alright well not it's certain I have a friend on my system. I have > found this file named "https" on my > system in /tmp > > I'm not as PERL savy as I want to be but it does open IRC on the > server. The file is owned by apache:apache. So it > looks like my friend is using Apache as a tool. Would anybody have a > clue on how he could get this in tmp and then run it? > The file was not set executable either. > A perl script does not have to be executable to run. Perl can run the contents simply by reading it, without having execute permissions. The same thing applies to shell scripts, python scripts, etc. > > #!/usr/bin/perl As others have already said, That box is now "owned" and the only certain way to wipe out the intrusion is to do a bare bones reinstall.
