[CentOS] (c 5.6) Running 2 versions of Apache ?

Les Mikesell lesmikesell at gmail.com
Mon Aug 29 20:52:13 UTC 2011


On Mon, Aug 29, 2011 at 3:14 PM, Always Learning <centos at u61.u22.net> wrote:
>
>> That probably means the intrusion is self-propagating.  That is, if
>> the target is running some vulnerable php version or application, it
>> is able to install a copy of itself and start over.
>
> In this particular incident, I am reasonable certain the loony is using
> tools to find vulnerable IPs and then manually feeding the address into
> his scrip.

That means he's not very good at it yet.  The ones you need to worry
about will send quick exploit tests cycling through different
destinations, that if they succeed will post to a central receiver.
Then later, likely from a different location, it will send the one
that attempts to escalate access to root and/or establish a connection
back for central control.  The point here being that an IP block
probably won't help much against an exploit that works well enough to
establish a distributed base.

-- 
  Les Mikesell
   lesmikesell at gmail.com



More information about the CentOS mailing list