Barbara M., 15.11.2005 19:25: > A friends that have an httpd server based on TSL 2.2 have received this > mail: > > ------------------------------------------- > Subject: Your_host_have_been_attacked > > Your host have been attacked by pv script. Look on netstat -anp for > process listen on 4123 port > > ------------------------------------------- > > > It tell me that there is a process listing on port 4123 and another on > 22222. Stopping httpd and killing the process that own the daemons seems > temporarily "solve" the problem. > He did that process are owned by httpd. > It is now busy in rebuilding a new box where to migrate data, so request > me to collect info on the "pv script". > Any hints?
Name of process? Where does it live on the filesystem? What does a 'strings filename' reveal? Go through the access-logs for apache. My guess is that there was a badly written PHP app on it and that led to remote execution vulnerabilities. The fact that all the parasites ran as httpd and not root points very hard in that direction. _______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
