sbeam schrieb: > On Tuesday 12 August 2008 09:08, Mr Shunz wrote: > >> maybe you should check with "lsof -p 3041" and see which files/pipes it >> uses to have a clue. >> > > of course! <slap> > > it's a perl w0rm that was uploaded last night, now killed. Now to determine > how it got in. > > I found some output in the main apache error log that looks like wget was used > to download a shellbot. But I can't figure out how wget was called, may be > some PHP exec() call that is unchecked. > Anything in /tmp ? Disable register_globals and allow_url_fopen. Set open_basedir for any virtual hosts to the absolute minimum. That will help a bit. > But I can't find it on the system yet or the data files it uses. > > chkrootkit says all is clear. > > mod_security is now being installed, belatedly. This server has only been up 1 > week, sheesh. > > thanks > Sam > > It was most likely executed via a remote server. Look for URLs in the logs that fetch stuff from remote servers. cheers, Rainer