[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] one of my servers has been compromized
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] one of my servers has been compromized
- From: Lucio Crusca <lucio@xxxxxxxxxx>
- Date: Mon, 05 Dec 2011 19:19:16 +0100
John Jacobs wrote:
> In my previous experience, including a few vulnerabilities in Roundcube,
> I've seen a programmatic scan, exploitation, and then wget/dropping of a
> Perl IRC bot. Of course this is all speculation based on previous
> experience, I am not looking at lucio's box. The Apache access/error logs
> should have the offending log entries and/or any output from the
> system()/exec() etc PHP functions. Lucio -- what user was the IRC bot
> running under?
www-data
> Lucio, I would also recommend subscribing to the Ubuntu Security-Announce
> mailing lists which issue the USNs so you are aware of which packages have
> been patched and those which require a reboot to effect the changes, such
> as Kernel update.
hosted vps, the kernel updates are up to the provider.
> James you are correct regarding the shell; I would assume /bin/sh would be
> pointed to /bin/dash or /bin/bash on a Ubuntu system. I would assume the
> user's login shell would be /bin/bash.
Ubuntu has bash and dash installed by default, and /bin/sh -> dash, but any
user is defaulted to /bin/bash
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/