unknows scripts are running the server
Net Llama!
netllama
Mon May 17 11:55:54 PDT 2004
On Fri, 21 Nov 2003, Swapana Ghosh wrote:
> Hi to all
>
> Few days back two of our clients' servers were hacked by the *Br*
> group of hackers...
>
> Now we are seeing that occassioanly some scripts are running and
> creating files uder /tmp file with the user/group as *httpd:root*...
>
> Today also we found one script is running as follows::
>
> ---------------------------------------------------------------------
> sh -c find / \\ | grep httpd.conf 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm
> /tmp/cmdtemp
>
> ---------------------------------------------------------------------
>
>
> So we did not find anybody that time from any of us who is running
> this script. So it is assumed that they kept this shell scipt somewhere in our
> server and it is being executed or they are using Apache/php to execute the
> scipt...
>
> Please help us out.. Where we will check and how we will stop this
> type of script running!!!!
Did you wipe & reload the OS after the box was compromised? If so, did
you close the hole that allowed the crackers in?
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lonni J Friedman netllama at linux-sxs.org
Linux Step-by-step & TyGeMo http://netllama.ipfox.com
More information about the Linux-users
mailing list