Eben Goodman wrote:
I actually know which user it got through on, it came in through an
insecure php nuke application. I have since removed the nuke app, but
the damage appears to be done, since this eggdrop crap is still running
on the server. Is there a way to find, and remove the software once it
has found it's way on?
I would advise a reinstall. It usually works out to be the quickest and
surest way of recovering from a hack.
If you're _certain_ that they never had root, I guess you could find and
remove the files using pstree, netstat, fuser, and ls -a. (pstree -up to
find out what's spawning the rogue process, netstat and fuser to find
out what ports are open and what opened them, ls -a to find hidden
.files and .directories)
From my experience the bot scripts will be in a hidden .directory
somewhere apache can write to (usually /tmp or /dev/shm) and started by
the apache user's crontab.
If you have any reason to suspect that the attacker ever had root access
reinstall the OS. They'll likely have installed all kinds of backdoors,
trojaned logins, kernel modules, and who knows what else. It's just not
practical to track down and remove all that stuff and you can never
really be sure you found everything.
--
Disclaimer: Any disclaimer attached to this message may be ignored.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
