Server compromissed
paul at topguncomputers.com
paul at topguncomputers.com
Sat Feb 19 02:45:48 UTC 2005
>
> On Fri, 18 Feb 2005 paul at topguncomputers.com wrote:
>
>> In replace of FTP what would you suggest. That is the only clear text
>> password service I allow. So what else can I use in replace of that.
>>
>> And shell access is denied for all accounts. except for 2.
>>
>> I get the feeling this came in on awstats all though I'm not 100%
>> positive
>> and I'm wanting to find out how it got in first before I just delete and
>> restart over again.
>
> The only time I've had a linux box compromised, it came in via a poorly
> configured ftp. What ftp server are you using ? I had a wu-ftp (IIRC)
> online for about 20 minutes and a rootkit was installed in that time.
>
> Cheers,
>
> Al
>
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
I have vsftpd.
Actually I found the hole.
It was on a phpbb board version 2.0.6. This isn't my board but a friends.
I just host it for him. There is a script that is installed in the tmp
directory which is than run with perl. If I look in my apache logs I can
see this long GET string.
So I'm gonna reinstall everything.
I also found a way to make the tmp directory no executable That way even
if a script in the future is installed in that directory. It won't be
able to run.
More information about the fedora-list
mailing list