Security Breach ?
Dave Jones
davej at redhat.com
Wed Mar 2 23:27:51 UTC 2005
On Wed, Mar 02, 2005 at 06:12:05PM -0500, Chris Strzelczyk wrote:
> if ($args =~ /^\001VERSION\001$/) {
> notice("$pn", "\001VERSION rootworm-$VERSAO in perl \001");
Oh dear. Seems to connect to undernet irc, and wait for commands
botnet-style by the looks of things (caveat: my perl-fu is weak).
What public facing scripts were you running on that server?
You've already ruled out phpBB, but anything else ?
If you haven't done so already, I'd kill that process, take
the box offline for forensic purposes, and don't put it back online
until it's been reinstalled.
Dave
More information about the fedora-list
mailing list