| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <jbj1v5$u5$1@dough.gmane.org> Date: Mon, 05 Dec 2011 19:19:16 +0100 From: Lucio Crusca <lucio@...web.org> To: full-disclosure@...ts.grok.org.uk Subject: Re: one of my servers has been compromized John Jacobs wrote: > In my previous experience, including a few vulnerabilities in Roundcube, > I've seen a programmatic scan, exploitation, and then wget/dropping of a > Perl IRC bot. Of course this is all speculation based on previous > experience, I am not looking at lucio's box. The Apache access/error logs > should have the offending log entries and/or any output from the > system()/exec() etc PHP functions. Lucio -- what user was the IRC bot > running under? www-data > Lucio, I would also recommend subscribing to the Ubuntu Security-Announce > mailing lists which issue the USNs so you are aware of which packages have > been patched and those which require a reboot to effect the changes, such > as Kernel update. hosted vps, the kernel updates are up to the provider. > James you are correct regarding the shell; I would assume /bin/sh would be > pointed to /bin/dash or /bin/bash on a Ubuntu system. I would assume the > user's login shell would be /bin/bash. Ubuntu has bash and dash installed by default, and /bin/sh -> dash, but any user is defaulted to /bin/bash _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists