Re: we were attacked
I saw this happen on someone's server. They had an old version of
awstats that allowed command injection. Check your access logs for a GET
of awstats with a query that looks like shell commands.
Peter A. Dumpert
Innovative Computer Services, LLC
The Diamond Standard of Internet Business
P: 732-683-0092 x 102 F: 732-577-9390
danilo lujambio wrote:
in one of our servers with Sarge we are suffering an attack wich put a
perl script and two executables in /tmp with owner www-data.
We couldn't find any data in messages , syslog, apache.log which help
us. We have a shorewall with very few ports open (ssh , ftp and web) .
Can someone help us in how to looking for the source of the attack ?
thanks in advance