Blackhole

[Mike Klinke]

On Monday 11 April 2005 09:22, Chris Kenward wrote:
> Hi Mike
>
> > Perhaps this will help to identify the file:
> >
> > http://www.packetstormsecurity.org/0209-exploits/free-apache.tx
> >t
> > http://mx.mcafee.com/virusInfo/default.asp?id=description&virus
> >_k=100670
> >
> > If your machine has been compromised, the best thing to do is
> > to format and re-install, taking care not to open the same
> > secuity hole that allowed the first compromise.
>
> Many thanks. The web server has more than 200 websites on it,
> which is going to make it exceedingly difficult to track which of
> those allowed the attack. The server has only recently been
> rebuilt, at the cost of lots of stress while our customers
> whinged about their sites not being there, and I'm pretty loathe
> to go through that all again.
>
> There is mention in the link above regarding directories called:
> /tmp/.blackhole.c
>
> There isn't a directory called .blackhole.c on the server - just
> the one executable binary in the /tmp folder. I can't find
> anything else on the server which looks as though someone has had
> root access to the machine but there again I'm no Linux expert so
> it could be staring me in the face.
>
> Is there an "easy" way to track how this person got into the
> server? I notice that the latest update for PHP from the RHN is
> 4.3.2 and I understand from searches I've done on the 'net that
> 4.3.10 or even the latest 4.3.11 is urgently advised due to
> "holes" in earlier versions. Not sure, however, whether this is
> how the person managed to drop that on the server.
>
> Regards
> Chris

Here is a well know project that may help to evaluate your system:

http://freshmeat.net/projects/chkrootkit/


You can also use rpm to verify your system files:

 ( --verify switch ) 

Regards, Mike Klinke