Take a look through your Apache logs to see the URL call they used to exploit the /tmp directory. Try searching for strings like: 'wget' or 'ftp' within your apache access logs. Chances are you will uncover the cuplrit script.
Judging by the permissions in the files in your /tmp directory they most likely did not get root on the box. In the future I would recommend chmod'ing the following executables to 700:
wget
ftp
lynx
If you can get away with chmoding perl to 700 that will help things also. Due to the permission settings on this files, they had to have executed the script with: perl filename.pl
Check out mod_security for Apache as well.
Peter
On 2/10/06, David <[EMAIL PROTECTED]> wrote:
Rick Macdougall wrote:
> David wrote:
>> *warning long email*
>>
>> Hi all,
>>
>> We have been running a Shupp toaster for about 18 months on a Redhat
>> 9 box, and the other day it appears it was compromised by spammers. I
>> thought if I posted a few things I found about the system drive
>> perhaps someone might be able to help me figure out how/how to
>> prevent this...
>>
>> apache 32499 32498 0 Feb08 ? S 0:00 \_ perl
>> /tmp/dc.txt 67.159.2
>> apache 32503 32499 0 Feb08 ? S 0:00 \_ /bin/bash
>
> Hi,
>
> I believe that is the xmlprc exploit against apache/php (could be the
> phpbb exploit, but I'm pretty sure the dc.txt is part of the xmlrpc).
>
> Upgrade your php and apache, find the xmlrpc.php in question and fix it.
>
> You can then use a tool like qmail-remove to clean out the queue.
>
> Regards,
>
> Rick
>
> !DSPAM:43ec99dc204751732444004!
>
Thanks Rick,
I'm running php 4.3.10 and I can't find any information about a xmlrpc
exploit; I also can't find any entries in my logs about dc.txt. I will
keep looking.
Thanks,
David.
