Re: we were attacked

To: debian-isp@lists.debian.org
Subject: Re: we were attacked
From: Duncan Robertson <duncan@zog.net.au>
Date: Sat, 08 Apr 2006 15:45:04 +1000
Message-id: <[🔎] 1144475104.22050.16.camel@teleport.zog.net.au>
In-reply-to: <[🔎] 44367C04.6030609@tau.org.ar>
References: <[🔎] 44367C04.6030609@tau.org.ar>

Hi,

I saw a similar occurence recently - source was a user uploaded copy of
the Mambo CMS
(so not within the debian security patch system) set up in a web hosting
client account,
which recently was found to have some really crap security holes - so
look for mambo, and examine the access log carefully..
for example stuff like:

GET /weblog/index.php?option=frontpage&Itemid=system(cd%20/tmp;ls%20-a)

On Fri, 2006-04-07 at 14:49 +0000, danilo lujambio wrote:
> Hi,
> 
> in one of our servers with Sarge we are suffering an attack wich put a 
> perl script and two executables in /tmp with owner www-data.
> We couldn't find any data in messages , syslog, apache.log which help 
> us. We have a shorewall with very few ports open (ssh , ftp and web) .
> Can someone help us in how to looking for the source of the attack ?
> 
> thanks in advance
> 
> d.l.
> 
>

Reply to:

References:
- we were attacked
  - From: danilo lujambio <danilo@tau.org.ar>

Prev by Date: Re: we were attacked
Next by Date: Re: we were attacked
Previous by thread: Re: we were attacked
Next by thread: RE: we were attacked
Index(es):
- Date
- Thread