[CentOS] mystery process "unit"

Tue Aug 12 19:44:48 UTC 2008
Jancio Wodnik <jancio_wodnik at wp.pl>

sbeam pisze:
> On Tuesday 12 August 2008 09:08, Mr Shunz wrote:
>   
>> maybe you should check with "lsof -p 3041" and see which files/pipes it
>> uses to have a clue.
>>     
>
> of course! <slap>
>
> it's a perl w0rm that was uploaded last night, now killed. Now to determine 
> how it got in.
>
> I found some output in the main apache error log that looks like wget was used 
> to download a shellbot. But I can't figure out how wget was called, may be 
> some PHP exec() call that is unchecked. 
>
> But I can't find it on the system yet or the data files it uses.
>
> chkrootkit says all is clear.
>
> mod_security is now being installed, belatedly. This server has only been up 1 
> week, sheesh.
>
> thanks
> Sam
>
>
>
> PS here is the link to the shellbot that was used, in case anyone is curious. 
> I break up the URL to protect the innocent:
>
> http://usua<BREAK>rios.lycos.es/<BREAK>w0rms/info.txt
>
> have searched it and don't find anything special on the main security sites. 
> Is it new?
>   
Hm. And what about selinux and httpd ? Selinux is securing httpd from 
this attacks, right ? Selinux was disabled ?

Irek

> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
>