RE: Blackhole

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Is it possible that you have some shell accounts on your system and that one of your users is trying to run this?  The C code by itself won't harm anything, and from what you say, it does not appear to have been compiled.  Perhaps just upgrading to the newest apache will fix?  Looking at the links provided below seem to indicate that the executable must be run, to try to break the apache server through the listed port.  I've seen this attempt many times on my machine, & AFAIK, it's never been successful.
 
    -Tom

-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx]On Behalf Of Chris Kenward
Sent: Monday, April 11, 2005 10:23 AM
To: mklinke@xxxxxxxx; 'General Red Hat Linux discussion list'
Subject: RE: Blackhole



Hi Mike 

> Perhaps this will help to identify the file: 

> http://www.packetstormsecurity.org/0209-exploits/free-apache.txt 
> http://mx.mcafee.com/virusInfo/default.asp?id=description <http://mx.mcafee.com/virusInfo/default.asp?id=description&virus_k=100670> &virus_k=100670 

> If your machine has been compromised, the best thing to do is to 
> format and re-install, taking care not to open the same secuity 
> hole that allowed the first compromise. 

Many thanks. The web server has more than 200 websites on it, which is going 
to make it exceedingly difficult to track which of those allowed the attack. 
The server has only recently been rebuilt, at the cost of lots of stress 
while our customers whinged about their sites not being there, and I'm 
pretty loathe to go through that all again. 

There is mention in the link above regarding directories called: 
/tmp/.blackhole.c 

There isn't a directory called .blackhole.c on the server - just the one 
executable binary in the /tmp folder. I can't find anything else on the 
server which looks as though someone has had root access to the machine but 
there again I'm no Linux expert so it could be staring me in the face. 

Is there an "easy" way to track how this person got into the server? I 
notice that the latest update for PHP from the RHN is 4.3.2 and I understand 
from searches I've done on the 'net that 4.3.10 or even the latest 4.3.11 is 
urgently advised due to "holes" in earlier versions. Not sure, however, 
whether this is how the person managed to drop that on the server. 

Regards 
Chris 


-- 
redhat-list mailing list 
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe 
https://www.redhat.com/mailman/listinfo/redhat-list 

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subjecthttps://www.redhat.com/mailman/listinfo/redhat-list


[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux