Marco Lum wrote:
Please help, I Can't found where he can get in~~!
i know serval ways to break into such a system: - installed PHP/Perl/CGI/whatever Script - known FTP Account (anonymous?!) with access to webdirs - Apache exploit (e.g. chunked bug) - SSL Exploit If your Box is well updated you can drop the last two possibilities (hopefully the box was ;). The others are well known flaws and, if you have a hosting box or so, you can't really control what other users install. Many scripts (whois etc.) don't really check for input. If it's your company's webserver you should know whats installed. But like the others already said: unplugg the box. Maybe you've the chance to check with chkrootkit (www.chkrootkit.org) if he had more access then the log shows. HTH and if you've any further questions, drop a line (or two ;) Sven