Blackhole
Burke, Thomas G.
tg.burke at ngc.com
Mon Apr 11 14:46:32 UTC 2005
Is it possible that you have some shell accounts on your system and that one of your users is trying to run this? The C code by itself won't harm anything, and from what you say, it does not appear to have been compiled. Perhaps just upgrading to the newest apache will fix? Looking at the links provided below seem to indicate that the executable must be run, to try to break the apache server through the listed port. I've seen this attempt many times on my machine, & AFAIK, it's never been successful.
-Tom
-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com]On Behalf Of Chris Kenward
Sent: Monday, April 11, 2005 10:23 AM
To: mklinke at axsi.com; 'General Red Hat Linux discussion list'
Subject: RE: Blackhole
Hi Mike
> Perhaps this will help to identify the file:
> http://www.packetstormsecurity.org/0209-exploits/free-apache.txt
> http://mx.mcafee.com/virusInfo/default.asp?id=description <http://mx.mcafee.com/virusInfo/default.asp?id=description&virus_k=100670> &virus_k=100670
> If your machine has been compromised, the best thing to do is to
> format and re-install, taking care not to open the same secuity
> hole that allowed the first compromise.
Many thanks. The web server has more than 200 websites on it, which is going
to make it exceedingly difficult to track which of those allowed the attack.
The server has only recently been rebuilt, at the cost of lots of stress
while our customers whinged about their sites not being there, and I'm
pretty loathe to go through that all again.
There is mention in the link above regarding directories called:
/tmp/.blackhole.c
There isn't a directory called .blackhole.c on the server - just the one
executable binary in the /tmp folder. I can't find anything else on the
server which looks as though someone has had root access to the machine but
there again I'm no Linux expert so it could be staring me in the face.
Is there an "easy" way to track how this person got into the server? I
notice that the latest update for PHP from the RHN is 4.3.2 and I understand
from searches I've done on the 'net that 4.3.10 or even the latest 4.3.11 is
urgently advised due to "holes" in earlier versions. Not sure, however,
whether this is how the person managed to drop that on the server.
Regards
Chris
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list