Date:  Tue, 12 Sep 2006 21:50:55 +0100
From:  paul <paul (at mark) planetcentral.net>
Subject:  [coba-e:06869] Re: /TMP Directory
To:  coba-e (at mark) bluequartz.org
Message-Id:  <45071DAF.1070201 (at mark) planetcentral.net>
In-Reply-To:  <006b01c6d655$d5dbbdb0$0e00a8c0 (at mark) office.swiftinter.net>
References:  <002101c6d5ca$3c3c6960$6400a8c0 (at mark) YOUR4105E587B6> <006b01c6d655$d5dbbdb0$0e00a8c0 (at mark) office.swiftinter.net>
X-Mail-Count: 06869

Paul,

Have removed offending files and checked with rkh - all clear.

Would be interested to hear what the score is with this mod_security rule???

Thx
Paul

Paul Wilson - Swift Internet wrote:
> To be honest we did not find any damage apart from the initial lockup 
> - the script prevents the restat of apache, so you have to foirce the 
> apache proccesses to stop (always untidy)
>
> This thing seems to be used to flood networks with IRC data
>
> We installed rkhunter after removing the script and then ran it to 
> ensure we had no lkms - all clear.
>
> Apart from that, I created a new mod_security rule based on that 
> attack - we have had others try to get in the same way, only to be 
> bounced off.
>
> Regards
>
> Paul


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.