From owner-freebsd-questions@FreeBSD.ORG Tue Feb 28 03:09:28 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22E7E16A420 for ; Tue, 28 Feb 2006 03:09:28 +0000 (GMT) (envelope-from scphantm@yahoo.com) Received: from ms-smtp-03.tampabay.rr.com (ms-smtp-03-smtplb.tampabay.rr.com [65.32.5.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBA1D43D5D for ; Tue, 28 Feb 2006 03:09:26 +0000 (GMT) (envelope-from scphantm@yahoo.com) Received: from [192.168.0.3] (242669hfc134.tampabay.res.rr.com [24.26.69.134]) by ms-smtp-03.tampabay.rr.com (8.13.4/8.13.4) with ESMTP id k1S39NZi013589 for ; Mon, 27 Feb 2006 22:09:24 -0500 (EST) Message-ID: <4403BEDB.6060005@yahoo.com> Date: Mon, 27 Feb 2006 22:09:15 -0500 From: Steel City Phantom User-Agent: Thunderbird 1.5 (X11/20060226) To: freebsd-questions@freebsd.org References: <4403758C.3080401@yahoo.com> In-Reply-To: Content-Transfer-Encoding: 7bit X-Virus-Scanned: Symantec AntiVirus Scan Engine MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Apparent Hack attempt filling partition X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2006 03:09:28 -0000 i looked this virus up, it said to look for perl scripts in the tmp dir and i don't have any of the ones the sites i found said to look for. i know this server is a bit behind on updates, specifically what version of PHP fixed this problem. i ask because at the moment i don't have that big of a window of opportunity to bring the server down for upgrades. Kees Plonsz wrote: Steel City Phantom wrote on Monday 27 February 2006 22:56: It seems that on friday i had some kind of hack scanner hit one of my servers. it went thru the website looking for scripts, i believe it was my hosting company that did it with their vulnerability scanner. The problem is that for some reason, the server was kicked into a loop failing on a perl script that eventually filled the /var partition with a 1 gig error log file and brought mysql down for lack of temp space to run some queries. I think that is the "Net-Worm.Linux.Mare.d". It not a special for linux but works on all *unix machines with PHP XML-RPC library and MAMBO. One of the files it uses is ping.txt: mv: ping.txt: No such file or directory [1]http://www.f-secure.com/v-descs/mare_d.shtml _______________________________________________ [2]freebsd-questions@freebsd.org mailing list [3]http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [4]"freebsd-questions-unsubscribe@freebsd.org" References 1. http://www.f-secure.com/v-descs/mare_d.shtml 2. mailto:freebsd-questions@freebsd.org 3. http://lists.freebsd.org/mailman/listinfo/freebsd-questions 4. mailto:freebsd-questions-unsubscribe@freebsd.org