25 Dec
2002
25 Dec
'02
02:32
Dirk Kutsche wrote:
Hi,
I found a programm "bi" in /tmp - owner wwwrun, goup nobody. Nothing in the logs. 2.4.10-4GB
Looks like a hack via apache. Do you know anything similar?
strings bi gets the following output:
looks like a backdoor. Check if any port is open on your box who souldn't be there. Whats about Apache? up-to-date? php? OpenSSL? all those where exploitable in the last month and your kernel looks like an default kernel from 7.3, if you update it, you should have at least 2.4.16-4GB. Also try chkrootkit -> www.chkrootkit.org if it will found something susperious, remove the box from the network and trust non of the data you've on it. regards