Security Basics mailing list archives
found clues about a security issue in a web server
From: kazabe <kazabe () gmail com>
Date: Sun, 15 Mar 2009 11:10:22 -0500
Hi. In the latest week my internet connection was frozen. After discard ISP and routing problems, i see this process in my webserver (stored behind my router): www-data 20580 00 00 815 355 ? S 07:16 6:01 ./s 86.23.114.12 80 that process was using all the bandwith (the address displayed is a remote IP, without any relationship with us). After kill that process, the internet service is normal again. The router and the webserver are running under Debian Lenny. The web server is not remotely accesible. all the administration is phisically in the PC. The webserver dont have any remote access (dont have ftp, or ssh, or telnet. Nothing). I try to found that "./s" but i cant found it yet. How can i detect how was inyected that script? The webserver is only to publish a website related with company internal process (but is published to Internet, by a port forwarding from the router). That website use php and mysql. What can i check to solve that security issue? Thanks in advance.
Current thread:
- found clues about a security issue in a web server kazabe (Mar 16)
- Re: found clues about a security issue in a web server Aarón Mizrachi (Mar 19)