Blackhole
Mike Klinke
mklinke at axsi.com
Mon Apr 11 13:56:43 UTC 2005
On Monday 11 April 2005 07:24, Chris Kenward wrote:
> Hi Folks
>
> Not sure whether this is the right spot for this. If not could
> someone please suggest where to take it to?
>
> I've just discovered a file called "blackhole" in the /tmp
> directory on one of my Redhat ES servers, which is completely up
> to date so a bit gobsmacked that this could happen.
>
> Could some kind soul tell me how to get rid of it along with any
> listening devices which may have been installed, and how to
> protect from it again?
>
> The machine is a web server and is therefore available via port
> 80. I also allow customers to FTP into the server using vsftpd
> which I thought was pretty secure. Not sure if either of these
> could be the culprit this time...
>
Perhaps this will help to identify the file:
http://www.packetstormsecurity.org/0209-exploits/free-apache.txt
http://mx.mcafee.com/virusInfo/default.asp?id=description&virus_k=100670
If your machine has been compromised, the best thing to do is to
format and re-install, taking care not to open the same secuity
hole that allowed the first compromise.
Regards, Mike Klinke
More information about the redhat-list
mailing list