-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CodeHeads wrote: > On Tue, 16 May 2006 15:03:49 -0400 CodeHeads <kingcobra@xxxxxxxxxxxxxx> wrote: <snip lots of perl cruft> What I cannot understand is how someone can upload to the tmp dir. I guess I am still learning. Can someone shed some light on this? it is not an uncommon method to use a box as a drone - find a vulnerability that you can exploit, dump an executable file in /tmp, run it as the apache user. what version of FC is this on? Are you running some kind of PHP web application? Are you running with SElinux in enforcing mode? (based on the general impression I get that apache appears to be running files from /tmp, I would guess not) it looks like you have been compromised. Possibly by a PHP exploit (I hear there have been quite a few of these over the last year or so) There are others here on the list who may have more experience with this than I, but if you *have* been compromised, the only safe course of action is to reinstall the affected system from known good media. You can no longer trust any of the applications on the affected box. Regards Stuart - -- Stuart Sears RHCA RHCX To err is human, to forgive is Not Company Policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFEajVSamPtx1brPQ4RAiV7AJ9r3LifTQK3D/zaA/DQpiCp2go7zACfavQe pphHQsdVX+y28nm53HVO9zk= =W1kl -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
