On Tuesday 12 August 2008 10:16, Rainer Duffner wrote: > Anything in /tmp ? > > Disable register_globals and allow_url_fopen. > Set open_basedir for any virtual hosts to the absolute minimum. allow_url_fopen was enabled on one of many sites. A developer put in an unsafe php include(). This allowed the w0rm to run a remote PHP script which used exec() to fetch and spawn the shellbot. Pretty standard. But it also did a decent job of removing itself from the filesystem. Lucky I noticed the weird process this morning, no harm done it seems. I have mod_security installed now, but I tested a similar attack, and sadly, it still succeeds as long as allow_url_fopen is on. But this is not CentOS related. cheers Sam _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
Re: mystery process "unit"
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: CentOS mailing list <centos@xxxxxxxxxx>
- Subject: Re: mystery process "unit"
- From: sbeam <sbeam@xxxxxxxxxxxxxx>
- Date: Tue, 12 Aug 2008 12:08:54 -0400
- Delivered-to: centos@xxxxxxxxxx
- In-reply-to: <48A19B34.2010709@xxxxxxxxxxxxxxx>
- References: <200808120856.20749.sbeam@xxxxxxxxxxxxxx> <200808121002.43257.sbeam@xxxxxxxxxxxxxx> <48A19B34.2010709@xxxxxxxxxxxxxxx>
- User-agent: KMail/1.9.4
- Follow-Ups:
- Re: mystery process "unit"
- From: Rainer Duffner
- Re: mystery process "unit"
- References:
- mystery process "unit"
- From: sbeam
- Re: mystery process "unit"
- From: sbeam
- Re: mystery process "unit"
- From: Rainer Duffner
- mystery process "unit"
- Prev by Date: Re: vncserver on IPv6
- Next by Date: Re: mystery process "unit"
- Previous by thread: Re: mystery process "unit"
- Next by thread: Re: mystery process "unit"
- Index(es):
 |