Steve Bertrand said the following on 08/26/2009 01:33 AM:

In this case, OP, look for:

- directories named as such:
-- ...
-- . ..
-- . .
-- etc, particularly under:
-- /var/tmp
-- /tmp
-- or anywhere else the [gu]id of the webserver could possibly write to

Thanks for the comments, Steve. This has indeed been the case here: there was a bunch of files installed by user 'www' (the webserver) in a directory called ".," in /tmp ; the script itself was in /tmp

Someone has suggested to me that the vulnerability might have been in the RoundCube webmail package which I had installed:

"Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary web script or HTML via the background attribute embedded in an HTML e-mail message."

  Colin Brace

_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Reply via email to