httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From zcat <z...@maxnet.co.nz>
Subject Re: [users@httpd] irc eggdrop exploit woes
Date Mon, 06 Jun 2005 23:47:03 GMT
Eben Goodman wrote:
> I actually know which user it got through on, it came in through an 
> insecure php nuke application.  I have since removed the nuke app, but 
> the damage appears to be done, since this eggdrop crap is still running 
> on the server.  Is there a way to find, and remove the software once it 
> has found it's way on?
> 
I would advise a reinstall. It usually works out to be the quickest and 
surest way of recovering from a hack.

If you're _certain_ that they never had root, I guess you could find and 
remove the files using pstree, netstat, fuser, and ls -a. (pstree -up to 
find out what's spawning the rogue process, netstat and fuser to find 
out what ports are open and what opened them, ls -a to find hidden 
.files and .directories)

 From my experience the bot scripts will be in a hidden .directory 
somewhere apache can write to (usually /tmp or /dev/shm) and started by 
the apache user's crontab.

If you have any reason to suspect that the attacker ever had root access 
reinstall the OS. They'll likely have installed all kinds of backdoors, 
trojaned logins, kernel modules, and who knows what else. It's just not 
practical to track down and remove all that stuff and you can never 
really be sure you found everything.

-- 
Disclaimer: Any disclaimer attached to this message may be ignored.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message