Date:  Wed, 19 Jul 2006 09:13:28 +0200
From:  Dennis <dennis (at mark) mixfans.org>
Subject:  [coba-e:06053] Re: vunerable
To:  coba-e (at mark) bluequartz.org
Message-Id:  <44BDDB98.6030600 (at mark) mixfans.org>
In-Reply-To:  <44BDBA65.70705 (at mark) mixfans.org>
References:  <27718190-A66C-4995-A501-E50CF1F0B24E (at mark) mfc.bakkers.gr.jp> <44BD2501.7070305 (at mark) dogsbody.org> <44BDBA65.70705 (at mark) mixfans.org>
X-Mail-Count: 06053

okay found it .. maybe this story helps and maybe some suggestions can 
come for getting more control on the system

somewhere back in feb 13 a user was created and this user was sitting in 
my site1
this user had in its folder:
aha.c
bind
cgi.php
*.pl

how the user could be created is still unknown to me, so maybe there can 
be added a script that will be sending info to the admin when a user is 
created in the system?

I found this user by checking which files were changed the last few days 
as I had wierd errors seen on the 16th of july
(httpd could not start as a session took over port 80)

Today I noticed the cron errors. Seems that the ghost user tried to test 
a vunerability from last week
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=140158&affid=102

Are there any other tools which could be used / installed to monitor 
such httpd actions?

Dennis


Dennis wrote:
> Suddenly I get this admin messages:
>
> chown root:root /dev/shm/nice2k && chmod 4755 /dev/shm/nice2k && rm 
> -rf /etc/cron.d/core && kill -USR1 3286
>
> chown: cannot access `/dev/shm/nice2k': No such file or directory
>
> it seems that someone 'broke' into my system, but how to see what 
> happened and where ..
> dennis
>
>
>
>
>