On Friday 25 Nov 2005 18:30, Derek "The Monkey" Wueppelmann wrote: > On Fri, 2005-25-11 at 23:21 +0530, Ritesh Raj Sarraf wrote: > > That is what got confused my at first. Since there's no /usr/sbin/httpd > > binary in a Debian based apache installation I was wondering how this was > > being shown. And interestingly there was no /usr/sbin/httpd file present > > also. > > If the system has been rooted, then you can't count on anything that is > reported by ps. Probably one of those scripts in /tmp is being run and > then it masquerades as being /usr/sbin/httpd, which on redhat systems > and other *nix distributions would be considered inoquious. > > > That's the biggest challenge right now. I don't have physical access to > > the system and I don't think my client will be able to bear my travelling > > expenses. > > That does pose a problem. I don't know an easy way to validate the > system and clean it while attacks are still happening, or even worse > someone has a shell account onto the system. > > > chkrootkit came of no help. It reported that the system was absolutely > > fine. I haven't tried tiger yet. > > Hmm, I'm pretty new to that tool and the tiger tool as well. So I'm not > sure what else to suggest at this point. Hopefully others on this list > and the debian-isp list will also be able to help out.
My email scanner blocked your fuhrer2 file claiming it had "Trojan.Perl.Shellbot.C" HTH, Cheers, -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
