Re: we were attacked
Hi,
I saw a similar occurence recently - source was a user uploaded copy of
the Mambo CMS
(so not within the debian security patch system) set up in a web hosting
client account,
which recently was found to have some really crap security holes - so
look for mambo, and examine the access log carefully..
for example stuff like:
GET /weblog/index.php?option=frontpage&Itemid=system(cd%20/tmp;ls%20-a)
On Fri, 2006-04-07 at 14:49 +0000, danilo lujambio wrote:
> Hi,
>
> in one of our servers with Sarge we are suffering an attack wich put a
> perl script and two executables in /tmp with owner www-data.
> We couldn't find any data in messages , syslog, apache.log which help
> us. We have a shorewall with very few ports open (ssh , ftp and web) .
> Can someone help us in how to looking for the source of the attack ?
>
> thanks in advance
>
> d.l.
>
>
Reply to: