On Mon, Jun 1, 2009 at 12:26 PM, Vladislav Kurz <vladislav.k...@webstep.net> wrote: > Well, this really looks suspicious. Look for unexpected processes running, > open ports, etc. Directory /dev/shm/ is world-writable like /tmp, so chances > are that the attacker did not gain root yet. But he might have shell > listening on some port and trying hard to get root using some local exploit.
I agree, chances are the box hasn't been exploited just yet, but I would be worried about just how he got that file there in the first place. We know that directory is world writable, so it could have been written by anything, but what? Sometimes the ownership of the file will give it away, for example, if the file is owned by www-data, you know some exploit in apache (usually php!) was used to gain file system access. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
