Re: one of my servers has been compromized

[Paul Schmehl <pschmehl_lists () tx rr com>]

--On December 5, 2011 1:48:24 PM +0100 Christophe Garault 
<letoff () gmail com> wrote:

> >
> Having your /tmp partition with noexec,nosuid is also considered a good
> practice.

That's not a bad generic suggestion, but it won't do a thing for this hack. 
They deposit perl scripts in /tmp/.m and then run them by calling perl, 
which is not in tmp.  This is a very common hack of a poorly written web 
application.  I doubt seriously that the "box" has been hacked - only the 
webserver is affected - especially based on his description of how he found 
and got rid of its elements.  (IOW, they didn't get root on the box - they 
only compromised the web application and then ran shells in perl off of 
that.)

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/