I see something similar. I usually see bots or psybnc being loaded. =
It's typically loaded through sites that have Mambo/Joomla installed or =
someone using a script to place it in /tmp. It's usually pretty =
harmless, just gets annoying having to check for them and delete them =
when I see them running.
----- Original Message -----=20
From: MuntadaNet Webmaster=20
To: coba-e (at mark) bluequartz.org=20
Sent: Sunday, March 26, 2006 3:41 PM
Subject: [coba-e:04366] Re: Monitoring Ports, Processes
It appears as if some IRC bot is able to get uploaded. Yes, it =
appears to be occurring near 9 PM HST but that is not always the case. =
It has happened at other times before. However the late evening appears =
to be the pattern the past few days.
Shell access...I don't think so. I check the auth logs and other logs =
that I can figure and don't see any evidence of someone logging in with =
admin, root, or root-admin from anything other than the IP addresses of =
known systems. I also checked instances of su and it doesn't appear =
anything illigitimate there. What we suspect is that they are finding a =
hole in the web apps and uploading their IRC bot to the /tmp directory =
and then running their deal their. The bandwidth goes crazy and =
effectively we have a DOS.
-Rashid
At 10:56 AM 3/26/2006, you wrote:
> A client has a website that uses PERL and PHP. The site keeps =
getting
> compromised.
What do you mean by "compromised" ? Is someone able to get shell
access to the server? Are they defacing the website somehow =
(replacing
content)? Using the server to send spam? Does it seem to happen at
certain times of the day?
*****************************************************************=20
MuntadaNet Web Hosting and Web Design Services
http://www.muntada.com
Sales - sales (at mark) muntada.com=20
Support - support (at mark) muntada.com=20
Billing - billing (at mark) muntada.com
Main Office - 808-689-6092
Fax - (808) 356-0279
*****************************************************************
4369_2.html (attatchment)