I just found out that this server has lost control over foiles in /sbin
I cant change owner/rights cmod /sbin and the files in it as root
Any idees on how to correct this,
Did you had the same problem ?
Met vriendelijke groet,
Steffan Noord
-----Oorspronkelijk bericht-----
Van: Dennis [mailto:dennis (at mark) mixfans.org]
Verzonden: woensdag 19 juli 2006 9:13
Aan: coba-e (at mark) bluequartz.org
Onderwerp: [coba-e:06053] Re: vunerable
okay found it .. maybe this story helps and maybe some suggestions can
come for getting more control on the system
somewhere back in feb 13 a user was created and this user was sitting in
my site1
this user had in its folder:
aha.c
bind
cgi.php
*.pl
how the user could be created is still unknown to me, so maybe there can
be added a script that will be sending info to the admin when a user is
created in the system?
I found this user by checking which files were changed the last few days
as I had wierd errors seen on the 16th of july
(httpd could not start as a session took over port 80)
Today I noticed the cron errors. Seems that the ghost user tried to test
a vunerability from last week
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=140158&aff
id=102
Are there any other tools which could be used / installed to monitor
such httpd actions?
Dennis
Dennis wrote:
> Suddenly I get this admin messages:
>
> chown root:root /dev/shm/nice2k && chmod 4755 /dev/shm/nice2k && rm
> -rf /etc/cron.d/core && kill -USR1 3286
>
> chown: cannot access `/dev/shm/nice2k': No such file or directory
>
> it seems that someone 'broke' into my system, but how to see what
> happened and where ..
> dennis
>
>
>
>
>