Guys I need some help here. I have a RaQ that is being hacked in some way. It is fully patched (sun wise) plus various other patches SSH from Solarspeed etc.
Now I haven't tried any updates to apache or to php further than 4.1.2 My suspicions are with apache or php in some way. Here are the reasons and the evidence files appear in /home/tmp r0nin iroffer psybnc They are all owned by httpd and in the root group http://iroffer.org/ iroffer is a software program that acts as a fileserver for IRC. It is similar to a FTP server or WEB server, but users can download files using the DCC protocol of IRC instead of a web browser. Unlike similar programs, iroffer is not a script, it is a standalone executable written entirely in c from scratch with high transfer speed and effeciency in mind. iroffer has been found to transfer over 50MByte/sec over a gigabit ethernet connection. http://www.psychoid.net/psybnc.html this appears to be to do with downloading as well at a quick glance. Then with some searching I think I got a breakthrough http://autsys.com/files/ this is presumably a hacker resource with a nice file called c0balt6.sh - a quick read of this suggests that it is a hack for Apache 1.3.20 or less So the answer would appear to be upgrade Apache to a later version - but no upgrade from Sun I remember now why I left but this is a live production box along with several others I have so what alternatives are there out there and what has been tried and tested. Thanks Gavin -- This message has been scanned for viruses and dangerous content by Web-Hoster ltd, and is believed to be clean. _______________________________________________ Cobaltfacts site list Cobaltfacts@list.cobaltfacts.com http://list.cobaltfacts.com/mailman/listinfo.cgi/cobaltfacts
