LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-27-2006, 09:21 PM   #1
akomakom
LQ Newbie
 
Registered: Aug 2006
Posts: 1

Rep: Reputation: 0
Thank you! That helped me figure this one out


//moderator.note: (pruned from) in-possible-reply-to (stale thread): http://www.linuxquestions.org/questi...d.php?t=205751

You were absolutely right, I didn't even think of searching for wget - my box had "vadim" and "energymech" installed on it via an exploit on the Horde help system, using passthru().

My box was acting as an IRC bot for some place in Amsterdam and flooding some box in the Czeck Republic. BTW: I had flood stuff in /var/tmp/fl/ and IRC stuff in "/var/tmp/ " - note the space as a directory name. Energy Mech app was named "sh".

I stopped upgrading horde as it was such a pain to do, and I got what I deserved . What a relief, knowing how it was done and what needs fixing (I hope). Time to rebuild.

Yes I pulled the cable as soon as I knew - but then, this is box is only a personal toy.



Quote:
Originally Posted by rash
The bug where in the php of your site. Turn on safe_mode in your php.ini config file then restart the apache. Locate any suspicious .php files in yout web server that have functions system.. and search the string wget in yout apache logs, to finde the ip invasor.


Upgrade the version of your kernel, in som version of kernels 2.4 have one bug that allow to exploit the kernel and gain root acces. Verify the ports open on your system and if have suspicious executables in ps.

Regards.

Last edited by unSpawn; 08-28-2006 at 01:43 AM. Reason: //moderator pruned from in-possible-reply-to stale thread
 
Old 08-28-2006, 03:55 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Hello there and welcome to LQ.

It would be quite advantageous to read the LQ Rules and check LQ a bit if you didn't already. We're a lot like other boards but we've got some additional rules, in essence to help you get more out of it all. For instance we rather not see people tack their posts onto way old threads. If you have a problem make your own new thread: that way it gets all the attention it deserves. Else refer to the old one if you need to. Next to that the only similarity between the thread you posted is in "vadim" was found on both boxen and basically that's just a side effect of the break in.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Thanks to jeremy and everyone else that's helped! purelithium LQ Suggestions & Feedback 2 11-14-2005 10:59 PM
Some info that has helped me robert_edwards Linux - Newbie 0 04-29-2004 06:35 PM
Just a thank you note to all who helped cubeman Linux - Hardware 0 10-19-2003 06:04 PM
noone helped in newbie, so i try here franciscofossa Linux - General 1 07-17-2003 08:57 AM
some info that has helped me kernel() Linux - General 3 01-31-2003 07:17 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration