Re: Strange connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Matthew Saltzman wrote:

On Tue, 19 Jul 2005, Gabe Warren wrote:

Tomas Larsson wrote:

Doing a netstat on my server, I find a strange connection.

It's a crond-job with Apache as owner, and it seems to go to an
irc-server, called 193.110.95.1:ircd, "carouge.ch.eu.undernet.org", anyone
that knows what this is??

Do you have awstats installed? Check and see if you have any hidden directories in /tmp. There is an awstats exploit that allows uploads as the apache user. I found a process running as apache called init.d on one of my servers. It too was initiaiting connections out to IRC. The EnergyMech irc bot was uploaded and executed from the /tmp/.bin directory.

This person has explained in detail his experience.

http://www.angelar.com/~jeremy/computer/hacked.html

Maybe this is what happened to you.


Just FYI, awstats-6.4 has that particular security hole patched. If you are running anything older, upgrade now!
enter email address


gabe




I'm running FC2 now. I did a netstat and didn't see any connections
I couldn't account for.

I have set up for FC2 legacy updates, and done a

# yum update

which pulled several packages.

What should I do in order to defend against this sort of attack?
I'm not familiar with iptables, though I just looked, and it
didn't look like much was blocked. I don't have awstats, I guess,
as

$ su -
# man awstats
No manual entry for awstats

Mike

--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux