[Zeffie-Users] CTT spam ridden files?
Zeffie
zeffie at zeffie.net
Mon Jan 28 19:28:22 CET 2008
>>>>>>> I think this box is rooted. Or a daemon is doing something I
>>>>>>> can't
>>>>>>> expain.
>>>>>>> <snip>
>>>>>>
>>>>>> Hmm cant say i have. Anything unusual if you do a 'ps ax'?
>>>>>
>>>>> No, nothing special :( , lsof didn't say much either.
>>
>>
>>
>> Look for a weak web application like old phpBB, etc...
>>
>> you might find something in your apache logs too...
>
> Well, I wrote a little script to run lsof every 15 minutes and to
> email me if it found anything, here's what I found
>
> caspeng 27122 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
> caspeng 27123 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
> caspeng 27124 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
> caspeng 27125 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
> caspeng 27126 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
> caspeng 27127 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
>
> So it looks like either someone has found an exploit in ChiliASP, or
> someone found an exploit in an ASP script on the machine.. I'm going
> to add some timestamps etc to my script and try to co-relate it with
> apache/chili logs.
>
What version of asp do you have installed?
rpm -qi chiliasp
--
Zeffie...
http://www.zeffie.com/
Now I build it and You surf it!
Cobalt RaQ Repairs, Development, and Maintenance.
Home of the Worlds Largest Collection of RaQ Updates!
Cobalt Spam Filter, Security, Firewall, Anti Virus Products.
Yahoo: wwwZeffie ... Aim: wwZeffie ... Msn wwZeffie at hotmail.com ...
US 734-446-0350 734-454-9117 US Toll Free 800-231-4459 UK 0208-150-6860
More information about the Zeffie-Users
mailing list