From owner-freebsd-questions@FreeBSD.ORG Wed Aug 26 08:30:15 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 139CB1065690 for ; Wed, 26 Aug 2009 08:30:15 +0000 (UTC) (envelope-from cb@lim.nl) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [208.79.240.5]) by mx1.freebsd.org (Postfix) with ESMTP id DFE958FC23 for ; Wed, 26 Aug 2009 08:30:14 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost.localdomain [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id 256BE594011; Wed, 26 Aug 2009 01:30:07 -0700 (PDT) Received: from [172.19.3.3] (93-125-163-97.dsl.alice.nl [93.125.163.97]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: cb@lim.nl) by smtpauth.rollernet.us (Postfix) with ESMTP; Wed, 26 Aug 2009 01:30:06 -0700 (PDT) Message-ID: <4A94F3E2.7060306@lim.nl> Date: Wed, 26 Aug 2009 10:35:46 +0200 From: Colin Brace User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.1) Gecko/20090814 Fedora/3.0-2.6.b3.fc11 Thunderbird/3.0b3 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4A924601.3000507@lim.nl> <25132123.post@talk.nabble.com> <20090825082604.41cad357.wmoran@potentialtech.com> <25134277.post@talk.nabble.com> <20090825120504.93a7c51d.wmoran@potentialtech.com> <6201873e0908250921w46000c2by78893a1c5b581e78@mail.gmail.com> <20090825130616.20ab0049.wmoran@potentialtech.com> <6201873e0908251237n5c819d9ag36f867b5e68e258c@mail.gmail.com> <20090825154358.7c792d3a.wmoran@potentialtech.com> <6201873e0908251511q643f3662nc73f264cbfcfe645@mail.gmail.com> <4A9474BE.6020501@ibctech.ca> In-Reply-To: <4A9474BE.6020501@ibctech.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID 7dfc.4a94f28e.c3f1b.0 Cc: Steve Bertrand Subject: Re: what www perl script is running? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Aug 2009 08:30:15 -0000 Steve Bertrand said the following on 08/26/2009 01:33 AM: > In this case, OP, look for: > > - directories named as such: > -- ... > -- . .. > -- . . > -- etc, particularly under: > -- /var/tmp > -- /tmp > -- or anywhere else the [gu]id of the webserver could possibly write to > Thanks for the comments, Steve. This has indeed been the case here: there was a bunch of files installed by user 'www' (the webserver) in a directory called ".," in /tmp ; the script itself was in /tmp Someone has suggested to me that the vulnerability might have been in the RoundCube webmail package which I had installed: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0413 "Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary web script or HTML via the background attribute embedded in an HTML e-mail message." -- Colin Brace Amsterdam http://www.lim.nl