David wrote:
*warning long email*
Hi all,
We have been running a Shupp toaster for about 18 months on a Redhat 9
box, and the other day it appears it was compromised by spammers. I
thought if I posted a few things I found about the system drive perhaps
someone might be able to help me figure out how/how to prevent this...
apache 32499 32498 0 Feb08 ? S 0:00 \_ perl /tmp/dc.txt
67.159.2
apache 32503 32499 0 Feb08 ? S 0:00 \_ /bin/bash
Hi,
I believe that is the xmlprc exploit against apache/php (could be the
phpbb exploit, but I'm pretty sure the dc.txt is part of the xmlrpc).
Upgrade your php and apache, find the xmlrpc.php in question and fix it.
You can then use a tool like qmail-remove to clean out the queue.
Regards,
Rick
