Re: one of my servers has been compromized

[Lucio Crusca <lucio () sulweb org>]

John Jacobs wrote:

> In my previous experience, including a few vulnerabilities in Roundcube,
> I've seen a programmatic scan, exploitation, and then wget/dropping of a
> Perl IRC bot.  Of course this is all speculation based on previous
> experience, I am not looking at lucio's box.  The Apache access/error logs
> should have the offending log entries and/or any output from the
> system()/exec() etc PHP functions.  Lucio -- what user was the IRC bot
> running under?

www-data

> Lucio, I would also recommend subscribing to the Ubuntu Security-Announce
> mailing lists which issue the USNs so you are aware of which packages have
> been patched and those which require a reboot to effect the changes, such
> as Kernel update.

hosted vps, the kernel updates are up to the provider.

> James you are correct regarding the shell; I would assume /bin/sh would be
> pointed to /bin/dash or /bin/bash on a Ubuntu system.  I would assume the
> user's login shell would be /bin/bash.  

Ubuntu has bash and dash installed by default, and /bin/sh -> dash, but any 
user is defaulted to /bin/bash



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/