Nick wrote:
> Rick Philbrick wrote:
>> Hi,
>>
>> Well thats telling. So do you have chkroot-kit installed? Although
>> you know you've got to have a root-kit on there. Anyway, it may help
>> narrow your search of the directories and the changes within.
>>
>> -rickp
>>
>
> Well i quarantined the files and then ran rkhunter and chkrootkit and
> both came back ok. Not going to risk not starting over on the box but if
> i can't tell how they got in then I'm not stopping it happening again.
> It could of course have something to do with one of the webapps the box
> runs (forum software)...
>
> Also i found my iptables script wasn't blocking port 80 and port 21
> outbound.... school boy error.
>
Hi -
I'm guessing that this happened by an overly friendly webapp, since the
processes are in fact running under the 'apache' username. I think that
if I were doing this - and I had a clue - I'd run this application under
a less conspicuous username.
You probably knew that. Couldn't hurt to throw that out, eh?
Thanks
-dant
