[Full-disclosure] Trojan found on Linux server
Gaddis, Jeremy L.
jeremy at linuxwiz.net
Mon Jan 2 21:43:20 GMT 2006
Niek wrote:
> This is a much seen thing these days.
> Your customer probably got attacked by an insecure php script
> (cacti/xmlphp/awstats/ect). Check your apache logs.
> if I grep my logs for wget, I see tons of attempts.
Roger that. It wasn't important enough to us to pursue. I just
recently signed on with this customer and was in the process of moving
their websites over to new, freshly installed servers from the Red Hat
Linux 9 boxes they were running on. Since we're about to rebuild the
server anyways, it wasn't worth the time to pursue.
> The trojan is a an irc drone, listinging for ddos commands/ect.
Yep, when running "strings" on it I noticed a few IP addresses
(219.133.46.212, 61.211.239.84, 64.239.9.236) in there as well as
commands indicative of IRC ("NOTICE", "NICK", "PRIVMSG", etc.)
-j
--
Jeremy L. Gaddis, GCWN, Linux+, Network+
LinuxWiz Consulting
http://www.linuxwiz.net/
Full-Disclosure is hosted and sponsored by Secunia.