at the moment everiting is solved i have block the IP adress but i d'ont have found the script
----- Oorspronkelijk bericht ----- Van
: david@pnyet.web.id [mailto:david@pnyet.web.id]
Verzonden
: donderdag , december 24, 2009 01:07 PM
Aan
: 'CentOS mailing list'
Onderwerp
: Re: [CentOS] attack
Triying find to what are users running on spacific command, you should using top or ps or netstat please read the manual how to use it. After all and you get some info unpluge your server from internet, see what log says.
------Original Message------ From: Manu Verhaegen Sender: centos-bounces@centos.org To: centos@centos.org ReplyTo: CentOS mailing list Subject: [CentOS] attack Sent: Dec 24, 2009 6:31 PM
Hi,
My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script.
Regards, maverh
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Warm regards, David
./nobody _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Manu Verhaegen Sent: Thursday, December 24, 2009 7:04 AM To: CentOS mailing list Subject: Re: [CentOS] attack
at the moment everiting is solved i have block the IP adress but i d'ont have found the script
So you are the attacker. Happened to me a couple weeks ago.
Check your tmp directory and subdirectory for std, udp.pl. Also check /etc/passwd and /etc/shadow for unusual users. Should be at the very bottom of those files.
-
Manu Verhaegen -
Thomas Dukes