On Fri, Apr 07, 2006 at 03:34:45PM -0700, Joe Emenaker wrote: > Say what you will... but we tried everything else that we knew at the > time. I actually scanned *every* file on the machine (ie "find / -type f > -exec grep -l r0nin {}") for anything containing the various filenames, > to no avail. In case it was a problem in the kernel, or Apache, or Perl, > or whatever, we regularly used apt to upgrade all of the packages on the > system to the latest available, including running the latest kernel. Looking in logs for this is pretty good, but I think if you start seeing things owned by www-data on pretty-stock installations you pretty much must assume that it is an Apache problem. > Yeah, that probably would have helped. It's funny how, *after* you know > what the problem is, you clearly know the steps to take to find it. It's > interesting that you didn't mention any of these things to the original > poster. I've done so before, check the archives. The same question comes up regularly on this list... and on debian-security. > But, if I'm going to get labeled as appalling for trying to help the guy > out, then, next time, I'll just keep my trap shut and let the dude > suffer. In fact, maybe I'll go the whole nine yards and just criticize > the other posters who *do* try to help. No the appalling part was you having a machine compromised resetting it to a "good" state and then letting it get compromised again, and again, and again. (Actually it wasn't clear how many times you were reinfected from your original mail so maybe I read it worse than it actually was.) If you don't know how they got in then I have to say it is pretty irresponsible to try to erase the problem and leave it back out there to get reinfected multiple times. Steve --
Attachment:
signature.asc
Description: Digital signature