Kk, here is what I've got so far:My system seems to be infected by some kind of trojan/worm/virus called Unix/Hacktop, wich does (for what I'm seeing) some kind of scanport via ssh (22). I found some related info saying that the intruder could be using a security flaw from AWSTATS + Apache to get a valid root bash session over port 80.
Now the intruder created a few files, infected some others and is using this scanport. I stopped the scanport by blocking the output of ssh in my iptables and could be able to erase some virus related files.
Now I want to know just 2 things:First, how can I be sure that it all happened because of the awstats security flaw? Second, how could I completely remove this Unix/Hacktop from my system (Linux RedHat9 k2.4) ?
PS: I know that the second question doesn't have nothing to do with the httpd list at all, but if someone could plz help me, I would be really thankful! :)
Best Regards, Anderson --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|