Rick Macdougall wrote:
David wrote:
*warning long email*
Hi all,
We have been running a Shupp toaster for about 18 months on a Redhat
9 box, and the other day it appears it was compromised by spammers. I
thought if I posted a few things I found about the system drive
perhaps someone might be able to help me figure out how/how to
prevent this...
apache 32499 32498 0 Feb08 ? S 0:00 \_ perl
/tmp/dc.txt 67.159.2
apache 32503 32499 0 Feb08 ? S 0:00 \_ /bin/bash
Hi,
I believe that is the xmlprc exploit against apache/php (could be the
phpbb exploit, but I'm pretty sure the dc.txt is part of the xmlrpc).
Upgrade your php and apache, find the xmlrpc.php in question and fix it.
You can then use a tool like qmail-remove to clean out the queue.
Regards,
Rick
!DSPAM:43ec99dc204751732444004!
Thanks Rick,
I'm running php 4.3.10 and I can't find any information about a xmlrpc
exploit; I also can't find any entries in my logs about dc.txt. I will
keep looking.
Thanks,
David.
