[Zeffie-Users] CTT spam ridden files?
Jeff MacDonald
jeff at interchange.ca
Mon Jan 28 20:19:27 CET 2008
>>>>>>>> I think this box is rooted. Or a daemon is doing something I
>>>>>>>> can't
>>>>>>>> expain.
>>>>>>>> <snip>
>>>>>>>
>>>>>>> Hmm cant say i have. Anything unusual if you do a 'ps ax'?
>>>>>>
>>>>>> No, nothing special :( , lsof didn't say much either.
>>>
>>>
>>>
>>> Look for a weak web application like old phpBB, etc...
>>>
>>> you might find something in your apache logs too...
>>
>> Well, I wrote a little script to run lsof every 15 minutes and to
>> email me if it found anything, here's what I found
>>
>> caspeng 27122 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
>> caspeng 27123 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
>> caspeng 27124 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
>> caspeng 27125 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
>> caspeng 27126 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
>> caspeng 27127 root 36u REG 9,4 842231968 14905 /home/tmp/CTTvvFaR9
>>
>> So it looks like either someone has found an exploit in ChiliASP, or
>> someone found an exploit in an ASP script on the machine.. I'm going
>> to add some timestamps etc to my script and try to co-relate it with
>> apache/chili logs.
>>
>
> What version of asp do you have installed?
>
> rpm -qi chiliasp
I found the issue, it was a poorly written guest book application.
----------
[admin admin]$ rpm -qi chiliasp
Name : chiliasp Relocations: (not
relocateable)
Version : 3.6.0C Vendor: Cobalt
Networks Inc.
Release : 7 Build Date: Thu Dec 13
17:03:05 2001
Install date: Sat Sep 28 12:37:19 2002 Build Host:
linux-01.west.sun.com
Group : Base Source RPM:
chiliasp-3.6.0C-7.src.rpm
Size : 120898459 License: Chilisoft 2000
Packager : Will DeHaan,Cobalt Networks / Sriram Natarajan,ChiliSoft
Summary : Chllisoft ASP 3.6.0
Description :
- ASP support for Cobalt Servers
More information about the Zeffie-Users
mailing list