On Fri, Apr 07, 2006 at 03:34:45PM -0700, Joe Emenaker wrote:
> Say what you will... but we tried everything else that we knew at the
> time. I actually scanned *every* file on the machine (ie "find / -type f
> -exec grep -l r0nin {}") for anything containing the various filenames,
> to no avail. In case it was a problem in the kernel, or Apache, or Perl,
> or whatever, we regularly used apt to upgrade all of the packages on the
> system to the latest available, including running the latest kernel.
Looking in logs for this is pretty good, but I think if you start
seeing things owned by www-data on pretty-stock installations you
pretty much must assume that it is an Apache problem.
> Yeah, that probably would have helped. It's funny how, *after* you know
> what the problem is, you clearly know the steps to take to find it. It's
> interesting that you didn't mention any of these things to the original
> poster.
I've done so before, check the archives. The same question comes
up regularly on this list... and on debian-security.
> But, if I'm going to get labeled as appalling for trying to help the guy
> out, then, next time, I'll just keep my trap shut and let the dude
> suffer. In fact, maybe I'll go the whole nine yards and just criticize
> the other posters who *do* try to help.
No the appalling part was you having a machine compromised
resetting it to a "good" state and then letting it get compromised
again, and again, and again.
(Actually it wasn't clear how many times you were reinfected from
your original mail so maybe I read it worse than it actually was.)
If you don't know how they got in then I have to say it is
pretty irresponsible to try to erase the problem and leave it
back out there to get reinfected multiple times.
Steve
--
Attachment:
signature.asc
Description: Digital signature