Nick wrote:
Rick Philbrick wrote:
Hi,
Well thats telling. So do you have chkroot-kit installed? Although you know you've got to have a root-kit on there. Anyway, it may help narrow your search of the directories and the changes within.
-rickp
Well i quarantined the files and then ran rkhunter and chkrootkit and both came back ok. Not going to risk not starting over on the box but if i can't tell how they got in then I'm not stopping it happening again. It could of course have something to do with one of the webapps the box runs (forum software)...
Also i found my iptables script wasn't blocking port 80 and port 21 outbound.... school boy error.
Hi -
I'm guessing that this happened by an overly friendly webapp, since the processes are in fact running under the 'apache' username. I think that if I were doing this - and I had a clue - I'd run this application under a less conspicuous username.
You probably knew that. Couldn't hurt to throw that out, eh?
Thanks -dant