Re: Centos 5.3 -> Apache - Under Attack ? Oh hell....

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Linux Advocate wrote:
> DID THIS GUY ACTUALLY SAVE A FILE ON MY HARD DISK??? 
> AAAAAAHHHHHHHHHHHHHHHHHHHH???????????????
>
> Was this why rkhunter popped out with this warning?
>
> * Filesystem checks
>    Checking /dev for suspicious files...                      [ OK ]
>    Scanning for hidden files...                               [ Warning! ]
> ---------------
> /etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev
> ---------------
> Please inspect:  /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression)  /dev/.udev (directory)
>
> Should i delete these files? are the man files nromally .gz or .bz2 ?
>
> There is also a similar entry, where another file called unix2.tgz was downloaded....
>
> But i cant find these files on the HDisk?
> guys i am out of my league here. All assistance is deeply appreciated.
>   

I *hope* this machine is disconnected from the internet and running a 
liveCD to investigate this

yes, it appears you've been hacked, and have stealth files (any file 
with . in front oft he name is hidden and would only show with ls -a and 
if you  *are* rootkitted, there's a strong possibility your ls and other 
command tools have been replaced..

and, it appears it came in via an exploit in that horde framework (I 
know nothing about horde)


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux