[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Re: Backdoor over http(s)??

On Tue, Jan 13, 2004 at 01:54:18PM +0100, Mátyás Tibor wrote:

> I have found in /var/log/httpd/error.log
> --09:06:43--
>            => `/tmp/.do'

Some CGI at your webserver did run wget to receive some file from and save it on your disc as "/tmp/.do".
wwwrun:nogroup are standard user and group used for apache.

The file is still avaiable from
I don't want to execute it, but strings does list some information:

usage: %s <IP or hostname> <port>

(/tmp/.do 9090)

> connect error

probably a error message printed by /tmp/.do.

The server at identifies itself as Apache/1.3.9 (Old!)

Stefan Tichy <listuser@xxxxxxxxx>

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here