Re: [users@httpd] irc eggdrop exploit woes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Using some packaged distro (as fedora) is pretty easy

rpm -VVV on each package, and reinstall the affected ones (supossing
that you have some binary replaced)

The eggdrop.. you can wipe it out of the disk

Eben Goodman wrote:
> I actually know which user it got through on, it came in through an
> insecure php nuke application.  I have since removed the nuke app, but
> the damage appears to be done, since this eggdrop crap is still running
> on the server.  Is there a way to find, and remove the software once it
> has found it's way on?
> 
> thanks,
> Eben
> 
> Dan Mahoney, System Admin wrote:
> 
>> On Mon, 6 Jun 2005, Eben Goodman wrote:
>>
>> If you're doing multi-hosting, look into suexec.  the fact that it
>> runs CGI's as the user is kinda secondary to the fact that it shows
>> you WHICH user uploaded the insecure script.
>>
>> For PHP scripts, I've had good luck running suPHP (which is not an
>> official apache project, but something similar really should be).
>>
>> -Dan
>>
>>
>>> I recently had an irc exploit on my server running this eggdrop relay
>>> thing via apache.  I was able to find the offending files and remove
>>> them and the eggdrop processes went away for awhile, but now they are
>>> back and try as I might I can't find any files that correspond to
>>> this software.  When viewing top it shows the eggdrop processes
>>> running as apache.  If I don't reboot the server for a couple days
>>> the eggdrop apache processes start sucking up all cpu and gobbling
>>> bandwidth.
>>>
>>> Has anyone else dealt with this?
>>>
>>> thanks,
>>> Eben
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>>  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>
>>
>> -- 
>>
>> Amerikanskaya firma Transceptor Technology pristupila k poizvodstu
>> komputerov "Personal'ni Sputnik"
>>
>> --Snap, "The Power"
>>
>> --------Dan Mahoney--------
>> Techie,  Sysadmin,  WebGeek
>> Gushi on efnet/undernet IRC
>> ICQ: 13735144   AIM: LarpGM
>> Site:  http://www.gushi.org
>> ---------------------------
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>>
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux