Mátyás Tibor wrote: First off, there was a "backdoor" during 2003 (dont remember when) in the SSL-libs. Which could be used via Apache to put files in the /tmp dir... (I know this cause I found such files myself)
And I have Phpnuke 6.9 (?? PHP ??)
PHPNuke is ridden with security flaws, 6.9 have had securitypatches for admin.php, the weblinks & downloads modules. Depends on if you patch your server or not...
Ok, somebody could use wget, but what about the .do.sh --> how was it possible, to execute it?
/tmp is a executable directory, isn't it?! Normally "hackers" who gain access through some backdoor needs to gain access to the machine, then try to execute a lot of tests to see if any local exploits are available to see if they can get root-access. My own experience a month back told me so (an old RH 7.0 machine got hacked) //Mattias