You may not have to reinstall the whole system, /tmp is likely the only
directory that was writable through an exploit. What does the program do,
is it a DDOS attack program?
On Mon, 11 Apr 2005, Chris Kenward wrote:
Hi Mike
Perhaps this will help to identify the file:
http://www.packetstormsecurity.org/0209-exploits/free-apache.txt
http://mx.mcafee.com/virusInfo/default.asp?id=description&virus_k=100670
If your machine has been compromised, the best thing to do is to
format and re-install, taking care not to open the same secuity
hole that allowed the first compromise.
Many thanks. The web server has more than 200 websites on it, which is going
to make it exceedingly difficult to track which of those allowed the attack.
The server has only recently been rebuilt, at the cost of lots of stress
while our customers whinged about their sites not being there, and I'm
pretty loathe to go through that all again.
There is mention in the link above regarding directories called:
/tmp/.blackhole.c
There isn't a directory called .blackhole.c on the server - just the one
executable binary in the /tmp folder. I can't find anything else on the
server which looks as though someone has had root access to the machine but
there again I'm no Linux expert so it could be staring me in the face.
Is there an "easy" way to track how this person got into the server? I
notice that the latest update for PHP from the RHN is 4.3.2 and I understand
from searches I've done on the 'net that 4.3.10 or even the latest 4.3.11 is
urgently advised due to "holes" in earlier versions. Not sure, however,
whether this is how the person managed to drop that on the server.
Regards
Chris
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
