itsensellc
Verified User
- Joined
- Jul 15, 2005
- Messages
- 53
Hello,
I'm having a recurring issue where someone is getting a script into /tmp, taking down the webserver and setting up their stupid IRC bot on port 80. It's annoying because thus far I have not been able to track them down. As soon as it happens I'm combing through the logs trying to find out what PHP script (probably PHPBB or something like it from one of my customers) is letting them through but there is nothing in the logs. I've had this happen before but usually there's some trace in the logs like some ASCII encoded string. Right now I just have little to nothing to go on and it's quite annoying. I've combed all over the net but found next to nothing. RKHunter doesn't even know it exists.
Any suggestions on how I can track this down or at least set myself up for when it does happen the next time I can trap where it's coming from and patch it?
Thanks very much,
JP
I'm having a recurring issue where someone is getting a script into /tmp, taking down the webserver and setting up their stupid IRC bot on port 80. It's annoying because thus far I have not been able to track them down. As soon as it happens I'm combing through the logs trying to find out what PHP script (probably PHPBB or something like it from one of my customers) is letting them through but there is nothing in the logs. I've had this happen before but usually there's some trace in the logs like some ASCII encoded string. Right now I just have little to nothing to go on and it's quite annoying. I've combed all over the net but found next to nothing. RKHunter doesn't even know it exists.
Any suggestions on how I can track this down or at least set myself up for when it does happen the next time I can trap where it's coming from and patch it?
Thanks very much,
JP