Re: we were attacked

To: debian-isp@lists.debian.org
Subject: Re: we were attacked
From: Jochen Kaechelin <fvgi242ss@wlanhacking.de>
Date: Fri, 07 Apr 2006 20:46:51 +0200
Message-id: <[🔎] 1144435612.18796.1.camel@localhost>
Reply-to: fvgi242ss@wlanhacking.de
In-reply-to: <[🔎] 44367C04.6030609@tau.org.ar>
References: <[🔎] 44367C04.6030609@tau.org.ar>

On Fr, 2006-04-07 at 14:49 +0000, danilo lujambio wrote:
> Hi,
> 
> in one of our servers with Sarge we are suffering an attack wich put a 
> perl script and two executables in /tmp with owner www-data.
> We couldn't find any data in messages , syslog, apache.log which help 
> us. We have a shorewall with very few ports open (ssh , ftp and web) .
> Can someone help us in how to looking for the source of the attack ?

Perhaps you should give rkhunter
(http://www.rootkit.nl/projects/rootkit_hunter.html) a try and check
if you "only" got a false positive!!

I got this on a old RedHat, too!

Good luck!!

-- 
wlanhacking.de
http://mail.wlanhacking.de/cgi-bin/mailman/listinfo

Frauen sind die einzigsten Opfer die auf ihre Jäger lauern!

Reply to:

References:
- we were attacked
  - From: danilo lujambio <danilo@tau.org.ar>

Prev by Date: Re: we were attacked
Next by Date: DMZ Question
Previous by thread: Re: we were attacked
Next by thread: Re: we were attacked
Index(es):
- Date
- Thread