Article 9532 at 07/04/12 09:06:32 From: d.k.emaillists (at mark) gmail.com Subject: [coba-e:09532] machine possibly compramised

Index: [Article Count Order] [Thread]

Date:  Wed, 11 Apr 2007 17:06:24 -0700
From:  dnk <d.k.emaillists (at mark) gmail.com>
Subject:  [coba-e:09532] machine possibly compramised
To:  "BQ List" <coba-e (at mark) bluequartz.org>
Message-Id:  <bb9e5a970704111706o4ffa7945k2576dc377478750d (at mark) mail.gmail.com>
X-Mail-Count: 09532

Hi there has any one seen this before?

We have a BQ (Nuonce) yummed up to todays date.

We started noticing a funny process running. It is running as ./a
under the apache user. it seems to open up port 60666 and listen on
it. Our firewall is keeping that port locked up though other wise and
it seems like this hack can't get past this point. We cleaned it out a
few days ago, and well obviously since I am posting it has appeared
again. We suspect it must be some code being launched through either
perl or php and praying it is not through the BQ itself), but was
hoping for the "hail mary" from the list in case someone has had
simlar experience.

Thanks in advance!

dk