Re: we were attacked
> > in one of our servers with Sarge we are suffering an attack wich put a
> > perl script and two executables in /tmp with owner www-data.
> > We couldn't find any data in messages , syslog, apache.log which help
> > us. We have a shorewall with very few ports open (ssh , ftp and web) .
> > Can someone help us in how to looking for the source of the attack ?
> Perhaps you should give rkhunter
> (http://www.rootkit.nl/projects/rootkit_hunter.html) a try and check
> if you "only" got a false positive!!
> I got this on a old RedHat, too!
There's even a debian package out of it for chkrootkit.
With rkhunter and chkrootkit you can find out if a root exploit is in
If it's the case get the server of the line and after you found nothing
reinstall the backups!
Additionally you can give my project the next time a try for a audit:
is the name of the appropriate project for you.
And additionally I have to agree you should give mod-security a try.
Is also a good project to cover web forensic server security.
Freedom for Tibet!