One easy patch, while you solve the actual problem - is to prevent them from creating that file. Put one in /tmp that they can't overwrite.
Go to /tmp and "touch dc.txt". That creates an empty file by that name. Now lock it with "chattr +i dc.txt". That makes it "immutable" or completely unchangable - even by root. Of course, this only works if the hacker script file is always named dc.txt. Plus - its only a patch, while you find and fix the exploit they're using. Chuck ---------- Original Message ----------- From: Gerald Waugh <[email protected]> To: BlueOnyx General Mailing List <[email protected]> Sent: Mon, 29 Nov 2010 11:08:22 -0600 Subject: [BlueOnyx:05931] hacker scripts > Have a server been exploited several times > they come in through httpd > install scripts in /tmp > > this one was dc.txt > > # Priv8 ** Priv8 ** Priv8 > # IRAN HACKERS SABOTAGE Connect Back Shell > # code by:LorD > # We Are :LorD-C0d3r-NT-\x90 > # Email:[email protected] > > we also had .sep and send > send sends sms emal, by the thousands @tmomail.net > > How can I stop these people from downloading and running their scripts > in /tmp using httpd > > -- > Gerald > > _______________________________________________ > Blueonyx mailing list > [email protected] > http://www.blueonyx.it/mailman/listinfo/blueonyx ------- End of Original Message -------
_______________________________________________ Blueonyx mailing list [email protected] http://www.blueonyx.it/mailman/listinfo/blueonyx
