Well, disconnected now. Actually I'm running phpbb on the system. Going through the logs, and seen some strange things. It seems that obviously someone got into this server, and made it to download some nasty things: I assume that they used phpBB to get in?? gulie.tgz, this one is clearly a virys, symantec calls it "Linux.RST.B" The others is cycomm.tar.gz roots.tar Haven't got a clue what it is, but I don't think they are nice. Now, the big question is, will they affect other boxes on the network as well. I assume that the XP-Boxes should be alright. Is there any app I can use to scan my other linux-boxes (not running httpd) and see if they are infected, and the infected one to find out what happened. And Yes I will do a complete reinstall, on reformatted disks. With best regards Tomas Larsson Sweden Verus Amicus Est Tamquam Alter Idem > -----Original Message----- > From: fedora-list-bounces@xxxxxxxxxx > [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Scot L. Harris > Sent: Wednesday, July 20, 2005 1:58 AM > To: Fedora List > Subject: Re: Strange connection > > > On Tue, 2005-07-19 at 19:29, Tomas Larsson wrote: > > Doing a netstat on my server, I find a strange connection. > > > > It's a crond-job with Apache as owner, and it seems to go to an > > irc-server, called 193.110.95.1:ircd, "carouge.ch.eu.undernet.org", > > anyone that knows what this is?? > > Sounds like you need to disconnect this system from the > Internet immediately and do a bare metal install. > > Don't try to take any half measures. Review the packages you > have installed to figure out how they got in to start with. > Running phpbb, awstat, or postnuke by chance? > > > -- > Scot L. Harris > webid@xxxxxxxxxx > > Yes, but every time I try to see things your way, I get a headache. > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list >
Attachment:
smime.p7s
Description: S/MIME cryptographic signature