Strange connection
Mike McCarty
mike.mccarty at sbcglobal.net
Wed Jul 20 18:25:01 UTC 2005
Matthew Saltzman wrote:
> On Tue, 19 Jul 2005, Gabe Warren wrote:
>
>> Tomas Larsson wrote:
>>
>>> Doing a netstat on my server, I find a strange connection.
>>>
>>> It's a crond-job with Apache as owner, and it seems to go to an
>>> irc-server, called 193.110.95.1:ircd, "carouge.ch.eu.undernet.org",
>>> anyone
>>> that knows what this is??
>>>
>> Do you have awstats installed? Check and see if you have any hidden
>> directories in /tmp. There is an awstats exploit that allows uploads
>> as the apache user. I found a process running as apache called
>> init.d on one of my servers. It too was initiaiting connections out
>> to IRC. The EnergyMech irc bot was uploaded and executed from the
>> /tmp/.bin directory.
>>
>> This person has explained in detail his experience.
>>
>> http://www.angelar.com/~jeremy/computer/hacked.html
>>
>> Maybe this is what happened to you.
>
>
> Just FYI, awstats-6.4 has that particular security hole patched. If
> you are running anything older, upgrade now!
> enter email address
>
>>
>> gabe
>>
>>
>>
>
I'm running FC2 now. I did a netstat and didn't see any connections
I couldn't account for.
I have set up for FC2 legacy updates, and done a
# yum update
which pulled several packages.
What should I do in order to defend against this sort of attack?
I'm not familiar with iptables, though I just looked, and it
didn't look like much was blocked. I don't have awstats, I guess,
as
$ su -
# man awstats
No manual entry for awstats
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
More information about the fedora-list
mailing list