[Xastir] WAY off topic - but you guys are my' best resource'
Curt Mills, WE7U
archer at eskimo.com
Sat Aug 30 12:12:58 EDT 2003
On Sat, 30 Aug 2003, KC7ZRU wrote:
> I found someting distrubing tonite on one of my RH 7.3 boxes. It's setup
> as a web server. All ports in are blocked with iptables/netfilter except
> for 80.
>
> In the /tmp directory - an executable binary called 'telnetd',
> user=apache group=apache. It was not running. I never install telnetd on
> anything I setup - ever.
>
> chkrootkit says "OK" for as far as that goes.
>
> logs 'look' clean - no obvious gaps, plenty of worm noise to create a
> backgroud.
>
> I don't recognize anything else as suspicious.
>
> Suggestions? Ideas?
It sure looks like someone got in through CGI or other scripts or
modules run by Apache, else you wouldn't have the user/group owned
by Apache. Investigate on Apache-specific mailing lists, newsgroups,
web pages. It's common for exploits to be found in scripts that are
distributed with web servers.
Curt, WE7U. archer at eskimo.com
http://www.eskimo.com/~archer
Lotto: A tax on people who are bad at math. - unknown
Windows: Microsoft's tax on computer illiterates. - WE7U.
The world DOES revolve around me: I picked the coordinate system!"
More information about the Xastir
mailing list