Date: Thu, 17 Nov 2005 09:35:31 +0100 From: jimmy@inet-solutions.be To: Bill Desjardins <bill@ethernext.com> Cc: freebsd-security@freebsd.org, Mark Jayson Alvarez <jay2xra@yahoo.com> Subject: Re: Need urgent help regarding security Message-ID: <1132216531.437c40d3ca912@webmail.boxke.be> In-Reply-To: <20051116235527.4okakp84gk40osco@webmail.tuffmail.net> References: <20051117012552.46503.qmail@web51607.mail.yahoo.com> <20051116235527.4okakp84gk40osco@webmail.tuffmail.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Bill Desjardins <bill@ethernext.com>: > Mark, > > before going too nuts with trying to locate how they got in, let me ask, are > you running a webserver on this server and any websites? > > take a look in /tmp, /var/tmp and do a find for any directories which have > 777 perms like uucppublic in /var. if so, are they owned by the web user? I > have seen many IRC bots installed from poorly written php and perl programs > into /tmp and such which are then run via the same security holes that > allowed them to be installed. these programs can only be run on high port > numbers and are owned by the webserver owner. 99 of 100 are usually IRC > bots as well. another thing to look for is if they installed a cron job for > the web user which re-downloads the files if they are deleted. you can > disable cron for www and is reccomended. I have seen these tactics more and > more lately and the amount of bad 3rd party code used by my users doesnt > help at all. > > HTH, > > Bill > This is very correct, most of the time the directory is named '. ..', ' ', '...' or 'php-.....'. You better use 'find' to track the files down. I had it in the past (users with old phpbbs), all these guys are searching is a 'sit' to get on IRC. I took a full tcpdump of the connections to get enough evidence, even better, those morons didn't disable the logging of the BNC, so I had VERY clear connection logs right in theire application directory, which is SO stupid. I turned those logs to theire ISP and they told me they would take care of the rest, don't bother for the rest, they are probably kids, and if you think it was unable to break out any further from the www user, don't worry, just verify every bit the user could touch. Kind regards, Jimmy Scott ---------------------------------------------------------------- This message has been sent through ihosting.be To report spamming or other unaccepted behavior by a iHosting customer, please send a message to abuse@ihosting.be ----------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1132216531.437c40d3ca912>