[Zeffie-Users] CTT spam ridden files?
Jeff MacDonald
jeff at interchange.ca
Mon Jan 28 14:53:08 CET 2008
>>>>>> I think this box is rooted. Or a daemon is doing something I
>>>>>> can't
>>>>>> expain.
>>>>>> <snip>
>>>>>
>>>>> Hmm cant say i have. Anything unusual if you do a 'ps ax'?
>>>>
>>>> No, nothing special :( , lsof didn't say much either.
>
>
>
> Look for a weak web application like old phpBB, etc...
>
> you might find something in your apache logs too...
Well, I wrote a little script to run lsof every 15 minutes and to
email me if it found anything, here's what I found
caspeng 27122 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
caspeng 27123 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
caspeng 27124 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
caspeng 27125 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
caspeng 27126 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
caspeng 27127 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
So it looks like either someone has found an exploit in ChiliASP, or
someone found an exploit in an ASP script on the machine.. I'm going
to add some timestamps etc to my script and try to co-relate it with
apache/chili logs.
Jeff.
More information about the Zeffie-Users
mailing list