RE: Advice needed, trying to find the vulnerable code on Debian webserver.

To: <debian-security@lists.debian.org>
Subject: RE: Advice needed, trying to find the vulnerable code on Debian webserver.
From: "Ross Tsolakidis" <Ross.Tsolakidis@day3.com.au>
Date: Tue, 15 Jun 2004 14:32:21 +1000
Message-id: <[🔎] D03D875AFA05D34C98F1B0DBB71C3DBA6E1B33@hermes.powerserve.lan>

"Wipe, install, set up chkrootkit and run it often." 
I've already done that.  There was no rootkit.

"How does phpnuke compromise apache if apache is set up correctly?"
I believe it's some of the modules available and running php with 'safe
mode off'.

I need to find the vulnerable code on this box.  And I have no idea
where to begin.
I've tried running virus scans, nothing is infected.


--
Ross



-----Original Message-----
From: s. keeling [mailto:keeling@spots.ab.ca] 
Sent: Tuesday, 15 June 2004 2:06 PM
To: debian-security@lists.debian.org
Subject: Re: Advice needed, trying to find the vulnerable code on Debian
webserver.

Incoming from Ross Tsolakidis:
> 
> One of our webservers seems to get compromised on a daily basis.
> When I do a ps ax I see these processes all the time.
> 
> 18687 ?        S      0:00 shell
> 18701 ?        Z      0:00 [sh <defunct>]
> 18704 ?        T      0:00 ./3 200.177.162.185 1524

I vaguely remember that "3" in /tmp is slapper.  Wipe, install, set up
chkrootkit and run it often.

How does phpnuke compromise apache if apache is set up correctly?


--
Any technology distinguishable from magic is insufficiently advanced.
(*)               http://www.spots.ab.ca/~keeling 
- -


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org



DISCLAIMER: This e-mail and any files transmitted with it may 
be privileged and confidential, and are intended only for the use of the 
intended recipient. If you are not the intended recipient or responsible for 
delivering this e-mail to the intended recipient, any use, dissemination, 
forwarding, printing or copying of this e-mail and any attachments is strictly 
prohibited. If you have received this e-mail in error, please REPLY TO the 
SENDER to advise the error AND then DELETE the e-mail from your system.
Any views expressed in this e-mail and any files transmitted with 
it are those of the individual sender, except where the sender specifically 
states them to be the views of our organisation.
Our organisation does not represent or warrant that 
the attached files are free from computer viruses or other defects. The user 
assumes all responsibility for any loss or damage resulting directly or 
indirectly from the use of the attached files. In any event, the liability to 
our organisation is limited to either the resupply of the attached files or the 
cost of having the attached files resupplied.

Reply to:

Follow-Ups:
- Re: Advice needed, trying to find the vulnerable code on Debian webserver.
  - From: David Ramsden <david@hexstream.eu.org>
- Re: Advice needed, trying to find the vulnerable code on Debian webserver.
  - From: TiM <tim@muppetz.com>
- Re: Advice needed, trying to find the vulnerable code on Debian webserver.
  - From: Richard Atterer <richard@list04.atterer.net>

Prev by Date: Re: Spam fights
Next by Date: Re: Advice needed, trying to find the vulnerable code on Debian webserver.
Previous by thread: Re: Advice needed, trying to find the vulnerable code on Debian webserver.
Next by thread: Re: Advice needed, trying to find the vulnerable code on Debian webserver.
Index(es):
- Date
- Thread