[GLLUG] server attack
Karl Schuttler
rexykik at gmail.com
Sun Sep 20 20:51:54 EDT 2009
Delete the CGI
On Sun, Sep 20, 2009 at 8:42 PM, Eduardo Cesconetto
<eduardo at cesconetto.com> wrote:
> anybody have any idea on how to stop perlwebshell?
> http://yola.in-berlin.de/perlwebshell/
>
> On Sep 20, 2009, at 7:37 PM, Clay Dowling wrote:
>
>> Eduardo Cesconetto wrote:
>>> A friend's hosting server is being attacked by somebody using
>>> mass.pl to change the index.html files in all the user folders,
>>> here part of a log:
>>>
>>>
>>>
>>> any ideas on how to stop this?
>>>
>> Step one would be to stop running vulnerable services (i.e. all of
>> them) as root. The attacker has clearly managed to get root
>> privledges. Nothing exposed to the outside world should be run as
>> root.
>>
>> The second step is probably to track the attacker back to their
>> source IP (keeping in mind that they're probably running through
>> another stolen server or six), then meet them in person to discuss
>> the finer points of keeping your hands off other people's stuff. The
>> opening gambit is really a matter of personal choice, and I'll leave
>> it to your friend's discretion. I myself prefer two and a half feet
>> of ash as a rhetorical device.
>>
>> Clay
>
> _______________________________________________
> linux-user mailing list
> linux-user at egr.msu.edu
> http://mailman.egr.msu.edu/mailman/listinfo/linux-user
>
More information about the linux-user
mailing list