On Tue, 2006-05-16 at 21:25 +0100, Stuart Sears wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > CodeHeads wrote: > > On Tue, 16 May 2006 15:03:49 -0400 CodeHeads <kingcobra@xxxxxxxxxxxxxx> wrote: > <snip lots of perl cruft> > > What I cannot understand is how someone can upload to the tmp dir. I > guess I > am still learning. Can someone shed some light on this? > > it is not an uncommon method to use a box as a drone - find a > vulnerability that you can exploit, dump an executable file in /tmp, run > it as the apache user. > > what version of FC is this on? > > Are you running some kind of PHP web application? > > Are you running with SElinux in enforcing mode? > (based on the general impression I get that apache appears to be running > files from /tmp, I would guess not) > > it looks like you have been compromised. Possibly by a PHP exploit (I > hear there have been quite a few of these over the last year or so) > > There are others here on the list who may have more experience with this > than I, but if you *have* been compromised, the only safe course of > action is to reinstall the affected system from known good media. > > You can no longer trust any of the applications on the affected box. You also probably want to check to see if your IP address is listed in any of the spam blacklists since your machine has been sending out lottery scam emails. Paul.