LinkBack URL
About LinkBacksHi,
I found a backdoor binary in /tmp simply named "bds".
How can I find out who put it there?
Thanks!
simple security question?
Hi,
I found a backdoor binary in /tmp simply named "bds".
How can I find out who put it there?
Thanks!
Since it is in /tmp, it was most likely put there by a php script of some kind. You could look through the access logs in /usr/local/apache/domlogs for 'bds' to see if you can find the site that was used to upload the file.
Code:grep -i bds /usr/local/apache/domlogs/*
-Todd Shipway
If you're asking this, you're probably not running suphp or phpsuexec; if you were running them, the file ownership would have told you who put it there.
There's a slight performance hit and some issues if you have a lot of scripts installed already, but it is really worth looking at making the change. Tools such as CSF/APF help too.
So, which is less disruptive to the hosted accounts when converting over, suphp or phpsuexec?
This article might help: http://servertune.com/kbase/entry/46/Originally Posted by jols
Andy Reed
RHCE and CCNA
ServerTune.com
I'd always go for suphp these days, phpsuexec has been end-of-lifed and isn't supported by cpanel any more from what I know. Suphp is a superior solution anyway.
Is suphp the same as Suhosin?
Not remotely. Spend a few minutes reading about them and you'll see (google is your friend!!). Suhosin = PHP hardening, cuts a lot of functionality out of PHP; suphp runs PHP as individual users.
Correct, SuPHP has replaced phpSuExec in EasyApache 3.
Reply With Quote