the directory is user:group apache:apache... so check your apache logs....
go over your apache logs with a fine toothed comb.
specifically look for:
file timestamps that match files in the directory(May 25 13:56).
POST requests,
this will usually very quickly show you the requests and the web app hole.
after finding the hole/IP, search your apache logs for all requests from that IP address.
once things have slowed down, be a good netizan and contact yahoo.com abuse to let them
know about the collection email account.
ps: take a deep breath, it's not the end of the world.
Linux Advocate wrote:
> [root at fwgw unix]# ls -al
> total 4352
> drwxr-xr-x 2 apache apache 360 Jun 3 23:47 .
> drwxrwxrwt 3 root root 60 Jun 3 00:24 ..
> -rwxr-xr-x 1 apache apache 0 May 19 06:02 124.164.find.22
> -rwxr-xr-x 1 apache apache 0 Mar 24 22:28 129.135.find.22
> -rwxr-xr-x 1 apache apache 0 Mar 24 22:25 129.find.22
> -rwxr-xr-x 1 apache apache 0 May 25 13:54 21.168.find.22
> -rwxr-xr-x 1 apache apache 12687 May 25 06:16 60.191.find.22
> -rw-r--r-- 1 apache apache 0 Jun 3 23:45 83.182.find.22
> -rwxr-xr-x 1 apache apache 4631 Apr 21 17:50 84.2.find.22
> -rwxr-xr-x 1 apache apache 0 May 25 06:17 89.38.find.22
> -rwxr-xr-x 1 apache apache 2362 May 19 15:28 91.204.find.22
> -rwxr-xr-x 1 apache apache 216 May 18 2005 auto
> -rwxr-xr-x 1 apache apache 4374933 May 15 19:41 data.conf
> -rwxr-xr-x 1 apache apache 15729 Oct 14 2005 find
> -rw-r--r-- 1 apache apache 5262 Jun 3 23:45 log
> -rwxr-xr-x 1 apache apache 751 May 25 06:33 unix
> -rw-r--r-- 1 apache apache 0 Jun 3 23:04 vuln.txt
> -rwxr-xr-x 1 apache apache 671 May 25 13:56 x
--
Steven Tardy
Systems Programmer
Information Technology Infrastructure
Information Technology Services
Mississippi State University
sjt5 at its.msstate.edu