[CentOS] Uselib24/bindz - owned!

Thu May 4 07:17:13 UTC 2006
dan.trainor <dan.trainor at gmail.com>

Nick wrote:
> Rick Philbrick wrote:
>> Hi,
>>
>> Well thats telling.  So do you have chkroot-kit installed?  Although
>> you know you've got to have a root-kit on there. Anyway, it may help
>> narrow your search of the directories and the changes within.
>>
>> -rickp
>>
> 
> Well i quarantined the files and then ran rkhunter and chkrootkit and 
> both came back ok. Not going to risk not starting over on the box but if 
> i can't tell how they got in then I'm not stopping it happening again. 
> It could of course have something to do with one of the webapps the box 
> runs (forum software)...
> 
> Also i found my iptables script wasn't blocking port 80 and port 21 
> outbound.... school boy error.
> 

Hi -

I'm guessing that this happened by an overly friendly webapp, since the 
processes are in fact running under the 'apache' username.  I think that 
if I were doing this - and I had a clue - I'd run this application under 
a less conspicuous username.

You probably knew that.  Couldn't hurt to throw that out, eh?

Thanks
-dant