[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Strange connection



Well, disconnected now.
Actually I'm running phpbb on the system.



Going through the logs, and seen some strange things.
It seems that obviously someone got into this server, and made it to
download some nasty things:
I assume that they used phpBB to get in??

gulie.tgz, this one is clearly a virys, symantec calls it "Linux.RST.B"

The others is

cycomm.tar.gz
roots.tar

Haven't got a clue what it is, but I don't think they are nice.

Now, the big question is, will they affect other boxes on the network as
well. I assume that the XP-Boxes should be alright.

Is there any app I can use to scan my other linux-boxes (not running
httpd) and see if they are infected, and the infected one to find out what
happened.

And Yes I will do a complete reinstall, on reformatted disks.

With best regards

Tomas Larsson
Sweden

Verus Amicus Est Tamquam Alter Idem

> -----Original Message-----
> From: fedora-list-bounces redhat com
> [mailto:fedora-list-bounces redhat com] On Behalf Of Scot L. Harris
> Sent: Wednesday, July 20, 2005 1:58 AM
> To: Fedora List
> Subject: Re: Strange connection
>
>
> On Tue, 2005-07-19 at 19:29, Tomas Larsson wrote:
> > Doing a netstat on my server, I find a strange connection.
> >
> > It's a crond-job with Apache as owner, and it seems to go to an
> > irc-server, called 193.110.95.1:ircd, "carouge.ch.eu.undernet.org",
> > anyone that knows what this is??
>
> Sounds like you need to disconnect this system from the
> Internet immediately and do a bare metal install.
>
> Don't try to take any half measures. Review the packages you
> have installed to figure out how they got in to start with.
> Running phpbb, awstat, or postnuke by chance?
>
>
> --
> Scot L. Harris
> webid cfl rr com
>
> Yes, but every time I try to see things your way, I get a headache.
>
> --
> fedora-list mailing list
> fedora-list redhat com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]