lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
This website is powered by Openwall GNU/*/Linux security-enhanced OS
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Mon Jan  2 21:43:46 2006
From: jeremy at linuxwiz.net (Gaddis, Jeremy L.)
Subject: Trojan found on Linux server

Niek wrote:
> This is a much seen thing these days.
> Your customer probably got attacked by an insecure php script 
> (cacti/xmlphp/awstats/ect). Check your apache logs.
> if I grep my logs for wget, I see tons of attempts.

Roger that.  It wasn't important enough to us to pursue.  I just 
recently signed on with this customer and was in the process of moving 
their websites over to new, freshly installed servers from the Red Hat 
Linux 9 boxes they were running on.  Since we're about to rebuild the 
server anyways, it wasn't worth the time to pursue.

> The trojan is a an irc drone, listinging for ddos commands/ect.

Yep, when running "strings" on it I noticed a few IP addresses 
(219.133.46.212, 61.211.239.84, 64.239.9.236) in there as well as 
commands indicative of IRC ("NOTICE", "NICK", "PRIVMSG", etc.)

-j

--
Jeremy L. Gaddis, GCWN, Linux+, Network+
LinuxWiz Consulting
http://www.linuxwiz.net/

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux