Is this a worm? - 未名空间MITBBS历史存档

国际科技财经博客移民网络热点娱乐民生时事公众号

Redian新闻

>未名空间

>Security - 系统安全

Is this a worm?

Is this a worm?# Security - 系统安全

g*n2002-10-02 07:10

1 楼

Hi there,
The root of my linux box kept receving a email recently.
From: Mail Delivery Subsystem
To: [email protected]
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
This is a email sent to a wrong address. But the content of this email is
amazing.
From: Apache
To: c********[email protected]
Subject: [MY IP Address]
In the content, it lists all the hardware information of my computer,
including CPU types, netcard types and

p*f2002-10-02 07:10

2 楼

Yes it is a worm, which has invalded your box thorugh a bug in Apache SSL
module. You should be able to find some .vinik* files under /tmp, which
tells you what the worm could have done in your system. The worm might
have already get the priviledge of your apache user, and try to replace
some of your executable with its code, and also put its copy in some
folders which are writtable by apache users, it also try to put an entry
in crontab of apache users.

【在 g****n 的大作中提到】

: Hi there,
: The root of my linux box kept receving a email recently.
: From: Mail Delivery Subsystem
: To: [email protected]
: Subject: Returned mail: see transcript for details
: Auto-Submitted: auto-generated (failure)
: This is a email sent to a wrong address. But the content of this email is
: amazing.
: From: Apache
: To: c********[email protected]

d*c2002-10-02 07:10

3 楼

just found my mandrake8.2 was messed up by this same worm today.
check your /tmp, there were a whole bunch of hole,rooting,irc staff
sitting on my machine. check your system log files to see if they still
exist. mine were all deleted. check the history of apache user. it was
the only thing by which i could trace out what the intruder did to the system.
the email seemed to be generated by a script named .cinik.??? under /tmp

【在 g****n 的大作中提到】