Re: we were attacked
On Fr, 2006-04-07 at 14:49 +0000, danilo lujambio wrote:
> in one of our servers with Sarge we are suffering an attack wich put a
> perl script and two executables in /tmp with owner www-data.
> We couldn't find any data in messages , syslog, apache.log which help
> us. We have a shorewall with very few ports open (ssh , ftp and web) .
> Can someone help us in how to looking for the source of the attack ?
Perhaps you should give rkhunter
(http://www.rootkit.nl/projects/rootkit_hunter.html) a try and check
if you "only" got a false positive!!
I got this on a old RedHat, too!
Frauen sind die einzigsten Opfer die auf ihre Jäger lauern!