Article 16167 at 09/11/24 02:03:13 From: dmobley (at mark) uhostme.com Subject: [coba-e:16167] Re: Confused about password change...

Index: [Article Count Order] [Thread]
Date:  Mon, 23 Nov 2009 12:03:19 -0500
From:  "Darrell D. Mobley" <dmobley (at mark) uhostme.com>
Subject:  [coba-e:16167] Re: Confused about password change...
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <002e01ca6c5e$dc8af3e0$95a0dba0$@com>
In-Reply-To:  <002101ca6c5c$74a6cd00$5df46700$@com>
References:  <00b901ca6c13$0fa28cd0$2ee7a670$ (at mark) com> <13ff4d414bb508232cea33bbe1891416 (at mark) goulburn.net.au> <002101ca6c5c$74a6cd00$5df46700$ (at mark) com>
X-Mail-Count: 16167

Weird.  I tried it again this morning and was able to change the password
with only one segmentation fault error.  All is good since then.  Must have
been just left over Apache sessions in play.

 

From: Darrell D. Mobley [mailto:dmobley (at mark) uhostme.com] 
Sent: Monday, November 23, 2009 11:46 AM
To: coba-e (at mark) bluequartz.org
Subject: [coba-e:16166] Re: Confused about password change...

 

I checked using "find" and there is no evidence of a rootkit or changed
files in /usr/bin or anywhere else for that matter.

 

Why would the system do segmentation fault errors for only one site on the
server?

 

From: David Booth [mailto:md (at mark) goulburn.net.au] 
Sent: Monday, November 23, 2009 5:35 AM
To: coba-e (at mark) bluequartz.org
Subject: [coba-e:16165] Re: Confused about password change...

 


On 23/11/2009, at 7:00 PM, Darrell D. Mobley wrote:

Tonight, I had a drive-by hacking on BQ machine, and after closing the hole
I went to update my passwords.
 
On one particular site that runs Joomla and vBulletin, when I went to change
the MySQL user password (they share the same user over several databases),
Apache started spewing segmentation fault errors:
 
[Mon Nov 23 02:46:51 2009] [notice] child pid 16419 exit signal Segmentation
fault (11)

 

The minute I changed the password back, they quit.  Even restarting Apache
wouldn't fix the problem.  Have you ever seen this before and what is
causing this?


The only time I saw Segmentation fault was after a rootkit attack.
Disastrous!

ls -l /usr/bin

Look for funny ownerships - other than root - this could be nasty.


	16167_2.html (attatchment)(tag is disabled)