Server compromissed
Jeff Vian
jvian10 at charter.net
Sun Feb 20 00:09:24 UTC 2005
On Fri, 2005-02-18 at 18:45 -0800, paul at topguncomputers.com wrote:
> >
> > On Fri, 18 Feb 2005 paul at topguncomputers.com wrote:
> >
> >> In replace of FTP what would you suggest. That is the only clear text
> >> password service I allow. So what else can I use in replace of that.
> >>
> >> And shell access is denied for all accounts. except for 2.
> >>
> >> I get the feeling this came in on awstats all though I'm not 100%
> >> positive
> >> and I'm wanting to find out how it got in first before I just delete and
> >> restart over again.
> >
> > The only time I've had a linux box compromised, it came in via a poorly
> > configured ftp. What ftp server are you using ? I had a wu-ftp (IIRC)
> > online for about 20 minutes and a rootkit was installed in that time.
> >
> > Cheers,
> >
> > Al
> >
> >
> > --
> > fedora-list mailing list
> > fedora-list at redhat.com
> > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> >
>
>
> I have vsftpd.
>
> Actually I found the hole.
>
> It was on a phpbb board version 2.0.6. This isn't my board but a friends.
> I just host it for him. There is a script that is installed in the tmp
> directory which is than run with perl. If I look in my apache logs I can
> see this long GET string.
>
there is a know hole in phpBB.
Make sure you have the updated code and not the vulnerable one.
> So I'm gonna reinstall everything.
>
> I also found a way to make the tmp directory no executable That way even
> if a script in the future is installed in that directory. It won't be
> able to run.
>
>
More information about the fedora-list
mailing list