[nsp-sec] Linux webserver botnet
SURFcert - Peter
p.g.m.peters at utwente.nl
Mon Sep 14 06:27:50 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Coincidence or not? Just today I read
http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/ and
at the same time I got a report about a linux web server that was
infected and part of a botnet. I have ordered to not re-install that
specific server but try to get the services running on another one.
The got into the system through an old vulnerable phpMyAdmin version.
The strange thing is there shouldn't be any phpMyadmin on that box. We
will sort that out later. We can probably pull the source of the botnet
malware from the logging (at first sight it appears to be a host in
Germany). And we probably will get some information about the IRC
channel and passwords used to access 82.197.159.61 on port 9999.
I hope to be able to get as much as possible out of that host before I
am off on holiday and without e-mail for about two weeks. Important
stuff will of course be shared as much as possible.
- --
Peter Peters
SURFcert Officer off Duty
cert at surfnet.nl http://cert.surfnet.nl/
office-hours: +31 302 305 305 emergency (24/7): +31 622 923 564
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iD8DBQFKrhqlelLo80lrIdIRAqiDAJ9wAsttPv2aeayXMnphZGw4QC0IgQCeLwca
VLuXuJp1wSPCLKENomAXlr0=
=rnu6
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list