Re: Advice needed, trying to find the vulnerable code on Debian webserver.
Incoming from Ross Tsolakidis:
>
> One of our webservers seems to get compromised on a daily basis.
> When I do a ps ax I see these processes all the time.
>
> 18687 ? S 0:00 shell
> 18701 ? Z 0:00 [sh <defunct>]
> 18704 ? T 0:00 ./3 200.177.162.185 1524
I vaguely remember that "3" in /tmp is slapper. Wipe, install, set up
chkrootkit and run it often.
How does phpnuke compromise apache if apache is set up correctly?
--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling
- -
Reply to: