Re: Advice needed, trying to find the vulnerable code on Debian webserver.

To: debian-security@lists.debian.org
Subject: Re: Advice needed, trying to find the vulnerable code on Debian webserver.
From: "s. keeling" <keeling@spots.ab.ca>
Date: Mon, 14 Jun 2004 22:06:11 -0600
Message-id: <[🔎] 20040615040611.GB20688@infidel.spots.ab.ca>
In-reply-to: <[🔎] D03D875AFA05D34C98F1B0DBB71C3DBA6E1B2A@hermes.powerserve.lan>
References: <[🔎] D03D875AFA05D34C98F1B0DBB71C3DBA6E1B2A@hermes.powerserve.lan>

Incoming from Ross Tsolakidis:
> 
> One of our webservers seems to get compromised on a daily basis.
> When I do a ps ax I see these processes all the time.
> 
> 18687 ?        S      0:00 shell
> 18701 ?        Z      0:00 [sh <defunct>]
> 18704 ?        T      0:00 ./3 200.177.162.185 1524

I vaguely remember that "3" in /tmp is slapper.  Wipe, install, set up
chkrootkit and run it often.

How does phpnuke compromise apache if apache is set up correctly?


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)               http://www.spots.ab.ca/~keeling 
- -

Reply to:

References:
- Advice needed, trying to find the vulnerable code on Debian webserver.
  - From: "Ross Tsolakidis" <Ross.Tsolakidis@day3.com.au>

Prev by Date: Advice needed, trying to find the vulnerable code on Debian webserver.
Next by Date: Re: Advice needed, trying to find the vulnerable code on Debian webserver.
Previous by thread: Advice needed, trying to find the vulnerable code on Debian webserver.
Next by thread: Re: Advice needed, trying to find the vulnerable code on Debian webserver.
Index(es):
- Date
- Thread