Izak Burger schrieb:
Yes, chances are, that it's just some unsecure script in a webspace. Not good, but if you are a webservice provider, you always have some special customer. I even know companies which buy a cms and don't think of who cares for it over the time as long as it's running ...On Mon, Jun 1, 2009 at 12:26 PM, Vladislav KurzI agree, chances are the box hasn't been exploited just yet, but Iwould be worried about just how he got that file there in the first place. We know that directory is world writable, so it could have been written by anything, but what? Sometimes the ownership of the file will give it away, for example, if the file is owned by www-data, you know some exploit in apache (usually php!) was used to gain file system access.
On the other hand, you should keep in mind, that it could be someone who has gained root provileges and hides some of his activities. If he is root, then there has to be some other traces left of him.
So you should collect other information: - lsof and /proc, if you find suspicious processes - intrusion detection software- logfile scanning software and manual examining log files including firewall logs
Good point is, when you can trace times of activity. But always keep in mind, that the information could be wrong.
-- Guntram Trebs freier Programmierer und Administrator gt@trebs.net +49 (30) 42 80 61 55+49 (178) 686 77 55