httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eben Goodman <e...@bakedbean.net>
Subject Re: [users@httpd] irc eggdrop exploit woes
Date Mon, 06 Jun 2005 23:07:04 GMT
I actually know which user it got through on, it came in through an 
insecure php nuke application.  I have since removed the nuke app, but 
the damage appears to be done, since this eggdrop crap is still running 
on the server.  Is there a way to find, and remove the software once it 
has found it's way on?

thanks,
Eben

Dan Mahoney, System Admin wrote:

> On Mon, 6 Jun 2005, Eben Goodman wrote:
>
> If you're doing multi-hosting, look into suexec.  the fact that it 
> runs CGI's as the user is kinda secondary to the fact that it shows 
> you WHICH user uploaded the insecure script.
>
> For PHP scripts, I've had good luck running suPHP (which is not an 
> official apache project, but something similar really should be).
>
> -Dan
>
>
>> I recently had an irc exploit on my server running this eggdrop relay 
>> thing via apache.  I was able to find the offending files and remove 
>> them and the eggdrop processes went away for awhile, but now they are 
>> back and try as I might I can't find any files that correspond to 
>> this software.  When viewing top it shows the eggdrop processes 
>> running as apache.  If I don't reboot the server for a couple days 
>> the eggdrop apache processes start sucking up all cpu and gobbling 
>> bandwidth.
>>
>> Has anyone else dealt with this?
>>
>> thanks,
>> Eben
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server 
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> -- 
>
> Amerikanskaya firma Transceptor Technology pristupila k poizvodstu 
> komputerov "Personal'ni Sputnik"
>
> --Snap, "The Power"
>
> --------Dan Mahoney--------
> Techie,  Sysadmin,  WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144   AIM: LarpGM
> Site:  http://www.gushi.org
> ---------------------------
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message