Strange connection
Matthew Saltzman
mjs at ces.clemson.edu
Wed Jul 20 01:22:24 UTC 2005
On Tue, 19 Jul 2005, Gabe Warren wrote:
> Tomas Larsson wrote:
>
>> Doing a netstat on my server, I find a strange connection.
>>
>> It's a crond-job with Apache as owner, and it seems to go to an
>> irc-server, called 193.110.95.1:ircd, "carouge.ch.eu.undernet.org", anyone
>> that knows what this is??
>>
> Do you have awstats installed? Check and see if you have any hidden
> directories in /tmp. There is an awstats exploit that allows uploads as the
> apache user. I found a process running as apache called init.d on one of my
> servers. It too was initiaiting connections out to IRC. The EnergyMech irc
> bot was uploaded and executed from the /tmp/.bin directory.
>
> This person has explained in detail his experience.
>
> http://www.angelar.com/~jeremy/computer/hacked.html
>
> Maybe this is what happened to you.
Just FYI, awstats-6.4 has that particular security hole patched. If you
are running anything older, upgrade now!
>
> gabe
>
>
>
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
More information about the fedora-list
mailing list