sbeam pisze: > On Tuesday 12 August 2008 09:08, Mr Shunz wrote: > >> maybe you should check with "lsof -p 3041" and see which files/pipes it >> uses to have a clue. >> > > of course! <slap> > > it's a perl w0rm that was uploaded last night, now killed. Now to determine > how it got in. > > I found some output in the main apache error log that looks like wget was used > to download a shellbot. But I can't figure out how wget was called, may be > some PHP exec() call that is unchecked. > > But I can't find it on the system yet or the data files it uses. > > chkrootkit says all is clear. > > mod_security is now being installed, belatedly. This server has only been up 1 > week, sheesh. > > thanks > Sam > > > > PS here is the link to the shellbot that was used, in case anyone is curious. > I break up the URL to protect the innocent: > > http://usua<BREAK>rios.lycos.es/<BREAK>w0rms/info.txt > > have searched it and don't find anything special on the main security sites. > Is it new? > Hm. And what about selinux and httpd ? Selinux is securing httpd from this attacks, right ? Selinux was disabled ? Irek > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > > >