<html>
<body>
It appears as if some IRC bot is able to get uploaded. Yes, it
appears to be occurring near 9 PM HST but that is not always the
case. It has happened at other times before. However the late
evening appears to be the pattern the past few days.<br><br>
Shell access...I don't think so. I check the auth logs and other
logs that I can figure and don't see any evidence of someone logging in
with admin, root, or root-admin from anything other than the IP addresses
of known systems. I also checked instances of su and it doesn't
appear anything illigitimate there. What we suspect is that they
are finding a hole in the web apps and uploading their IRC bot to the
/tmp directory and then running their deal their. The bandwidth
goes crazy and effectively we have a DOS.<br><br>
-Rashid<br><br>
<br>
At 10:56 AM 3/26/2006, you wrote:<br>
<blockquote type=cite class=cite cite="">> A client has a
website that uses PERL and PHP. The site keeps getting<br>
> compromised.<br><br>
What do you mean by "compromised" ? Is someone able to get
shell<br>
access to the server? Are they defacing the website somehow
(replacing<br>
content)? Using the server to send spam? Does it seem to happen
at<br>
certain times of the day?</blockquote>
<x-sigsep><p></x-sigsep>
***************************************************************** <br>
MuntadaNet Web Hosting and Web Design Services<br>
<font color="#0000FF"><u>
<a href="http://www.muntada.com/" eudora="autourl">
http://www.muntada.com<br><br>
</a></u></font>Sales - sales (at mark) muntada.com <br>
Support - support (at mark) muntada.com <br>
Billing - billing (at mark) muntada.com<br><br>
Main Office - 808-689-6092<br>
Fax - (808) 356-0279<br>
*****************************************************************<br><br>
</body>
</html>