Hi Ritesh,
my guess is as follows:
you were hacked between 2005-11-20 and 2005-11-25.
this installed a perl script. those .fuhrer* files are related to
the hack and maybe useful as a signature of the attack.
someone hosted on maple.phpwebhosting.com is the at
On Fri, Nov 25, 2005 at 09:32:43PM +0530, Ritesh Raj Sarraf wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Even after I stop my webserver, I get the perl process to be chewing up 99%
of my cpu cycles.
top - 07:58:28 up 3 days, 8:26, 1 user, load average: 0.96, 1.04, 1.17
Tasks: 56 tot
On Fri, Nov 25, 2005 at 06:43:26PM +, Clive Menzies wrote:
> I read here recently about shutting out all ssh access other than your
> own but you need to be careful not to lock yourself out. You then need
> to close all the ports other than ssh. Not something I've ever done. It
> would also m
On Friday 25 Nov 2005 18:30, Derek "The Monkey" Wueppelmann wrote:
> On Fri, 2005-25-11 at 23:21 +0530, Ritesh Raj Sarraf wrote:
> > That is what got confused my at first. Since there's no /usr/sbin/httpd
> > binary in a Debian based apache installation I was wondering how this was
> > being shown.
On (25/11/05 13:30), Derek The Monkey Wueppelmann wrote:
> On Fri, 2005-25-11 at 23:21 +0530, Ritesh Raj Sarraf wrote:
> > That is what got confused my at first. Since there's no /usr/sbin/httpd
> > binary in a Debian based apache installation I was wondering how this was
> > being shown. And inter
On Fri, 2005-25-11 at 23:21 +0530, Ritesh Raj Sarraf wrote:
> That is what got confused my at first. Since there's no /usr/sbin/httpd
> binary in a Debian based apache installation I was wondering how this was
> being shown. And interestingly there was no /usr/sbin/httpd file present
> also.
If th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Derek "The Monkey" Wueppelmann on Friday 25 Nov 2005 23:10 wrote:
> On Fri, 2005-25-11 at 22:12 +0530, Ritesh Raj Sarraf wrote:
>> In my first mail, the logs showed a lot of "sh" defunct processes
>> executed from within apache. Is this an attempt to
On Fri, 2005-25-11 at 22:12 +0530, Ritesh Raj Sarraf wrote:
> In my first mail, the logs showed a lot of "sh" defunct processes executed
> from within apache. Is this an attempt to gain the shell through the web
> server ?
>
> Please suggest me what more should I look for and how to tackle this at
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Here's what I found out more digging in the logs.
There are 3 hidden files (attached with this message) in /tmp/:
1) .fuhrer
2) .fuhrer2
3) .fuhrer3
ns1:/var/log/apache2# ls -la /tmp/
total 56
drwxrwxrwt 5 root root 4096 Nov 25 07:46 .
drw
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Even after I stop my webserver, I get the perl process to be chewing up 99%
of my cpu cycles.
top - 07:58:28 up 3 days, 8:26, 1 user, load average: 0.96, 1.04, 1.17
Tasks: 56 total, 3 running, 53 sleeping, 0 stopped, 0 zombie
Cpu(s): 84.0%
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello World,
I've got a severe problem. It looks like my webserver has been compromised.
I have a webserver running apache2 (Debian Sarge). My webserver's load is
always remaining around 1.5 and the cpu utilization is 95%.
My webserver is not accep
11 matches
Mail list logo
