Blackhole

[Chris Kenward]

Hi Mike 

> Perhaps this will help to identify the file:

> http://www.packetstormsecurity.org/0209-exploits/free-apache.txt
> http://mx.mcafee.com/virusInfo/default.asp?id=description&virus_k=100670

> If your machine has been compromised, the best thing to do is to
> format and re-install, taking care not to open the same secuity
> hole that allowed the first compromise.

Many thanks. The web server has more than 200 websites on it, which is going
to make it exceedingly difficult to track which of those allowed the attack.
The server has only recently been rebuilt, at the cost of lots of stress
while our customers whinged about their sites not being there, and I'm
pretty loathe to go through that all again.

There is mention in the link above regarding directories called:
/tmp/.blackhole.c

There isn't a directory called .blackhole.c on the server - just the one
executable binary in the /tmp folder. I can't find anything else on the
server which looks as though someone has had root access to the machine but
there again I'm no Linux expert so it could be staring me in the face.

Is there an "easy" way to track how this person got into the server? I
notice that the latest update for PHP from the RHN is 4.3.2 and I understand
from searches I've done on the 'net that 4.3.10 or even the latest 4.3.11 is
urgently advised due to "holes" in earlier versions. Not sure, however,
whether this is how the person managed to drop that on the server.

Regards
Chris