Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour

To: debian-user@lists.debian.org
Subject: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
From: Reco <recoverym4n@gmail.com>
Date: Thu, 12 Dec 2013 09:39:03 +0400
Message-id: <[🔎] 20131212093903.453fb5d8b0db36e8418e52d5@gmail.com>
In-reply-to: <[🔎] CAKkTUv1-Z8idHwRYTO9=SAHmRZsFyEHGoDzVm5_3g3Mg-xNbPg@mail.gmail.com>
References: <[🔎] CAKkTUv2hUccoNBJ-UX1E=aqkdT9JSoVddG9mcVxgxQjE3qCzFQ@mail.gmail.com> <[🔎] CAKkTUv1-Z8idHwRYTO9=SAHmRZsFyEHGoDzVm5_3g3Mg-xNbPg@mail.gmail.com>

 Hi.

On Wed, 11 Dec 2013 22:03:24 -0600
Lukasz Szybalski <szybalski@gmail.com> wrote:

> and here it is:
> /usr/share/wordpress/wp-content/themes/itheme/checkoutDj4.php
> 
> I deleted this file and others who were created there on Dec 5th. *Now how
> were they able to save a file in there?*
> 
> Any idea how to check that?
> www-data user owns that folder and files.

This. Why do you allow webserver to write
into /usr/share/wordpress/wp-content/themes/itheme/?
Does Wordpress needs to be allowed to write in there?
What does 'find /usr -uid 33' show?

This directory is part of /usr, and stock Debian configuration assumes
that everything below /usr/share belongs to root.

Reco

Reply to:

References:
- Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Lukasz Szybalski <szybalski@gmail.com>
- Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
  - From: Lukasz Szybalski <szybalski@gmail.com>

Prev by Date: Re: script line not working as its supposed to, but why?
Next by Date: Re: Xfce config question
Previous by thread: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
Next by thread: Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
Index(es):
- Date
- Thread