Re: we were attacked

To: debian-isp@lists.debian.org
Subject: Re: we were attacked
From: Peter Dumpert <pdumpert@innovativebusiness.net>
Date: Fri, 07 Apr 2006 16:59:00 -0400
Message-id: <[🔎] 4436D294.5070205@innovativebusiness.net>
In-reply-to: <[🔎] 44367C04.6030609@tau.org.ar>
References: <[🔎] 44367C04.6030609@tau.org.ar>

I saw this happen on someone's server. They had an old version ofawstats that allowed command injection. Check your access logs for a GETof awstats with a query that looks like shell commands.


Peter A. Dumpert
Innovative Computer Services, LLC
The Diamond Standard of Internet Business
P: 732-683-0092 x 102 F: 732-577-9390
http://innovativebusiness.net/



danilo lujambio wrote:

Hi,
in one of our servers with Sarge we are suffering an attack wich put aperl script and two executables in /tmp with owner www-data.We couldn't find any data in messages , syslog, apache.log which helpus. We have a shorewall with very few ports open (ssh , ftp and web) .
Can someone help us in how to looking for the source of the attack ?

thanks in advance

d.l.

Reply to:

References:
- we were attacked
  - From: danilo lujambio <danilo@tau.org.ar>

Prev by Date: DMZ Question
Next by Date: Re: we were attacked
Previous by thread: Re: we were attacked
Next by thread: Re: we were attacked
Index(es):
- Date
- Thread