On Monday 11 April 2005 09:22, Chris Kenward wrote: > Hi Mike > > > Perhaps this will help to identify the file: > > > > http://www.packetstormsecurity.org/0209-exploits/free-apache.tx > >t > > http://mx.mcafee.com/virusInfo/default.asp?id=description&virus > >_k=100670 > > > > If your machine has been compromised, the best thing to do is > > to format and re-install, taking care not to open the same > > secuity hole that allowed the first compromise. > > Many thanks. The web server has more than 200 websites on it, > which is going to make it exceedingly difficult to track which of > those allowed the attack. The server has only recently been > rebuilt, at the cost of lots of stress while our customers > whinged about their sites not being there, and I'm pretty loathe > to go through that all again. > > There is mention in the link above regarding directories called: > /tmp/.blackhole.c > > There isn't a directory called .blackhole.c on the server - just > the one executable binary in the /tmp folder. I can't find > anything else on the server which looks as though someone has had > root access to the machine but there again I'm no Linux expert so > it could be staring me in the face. > > Is there an "easy" way to track how this person got into the > server? I notice that the latest update for PHP from the RHN is > 4.3.2 and I understand from searches I've done on the 'net that > 4.3.10 or even the latest 4.3.11 is urgently advised due to > "holes" in earlier versions. Not sure, however, whether this is > how the person managed to drop that on the server. > > Regards > Chris Here is a well know project that may help to evaluate your system: http://freshmeat.net/projects/chkrootkit/ You can also use rpm to verify your system files: ( --verify switch ) Regards, Mike Klinke -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
