What kind of hack is this...???

bhznat

Active Member
Jun 2, 2004
29
0
151
I have found some files on /tmp named like /tmp/dos-xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is an out ip. In these files is just a number, I think a counted value. I think this is ip of a victim, that has been attacked by our box, but how?

I have suexec & phpsuexec installed, then owner of all files on /tmp is defined. But how can an script use nobody to execute? I think it is impossible with phpsuexec, except direct code executing throught browser. I wonder how? maybe a phpBB exploit or so? ok, but how can I prevent this to repeat again?

I have not found any log to show me that how these files created and accessed.
If be fair, I dont know how exactly use egrep to find a record related to this issue.

Any idea may help me & others to find a solution for this issue.

Thanks.
 
Last edited:

bhznat

Active Member
Jun 2, 2004
29
0
151
WOW, nice.
For this I must say thank you so much, David.

I think this is not documented any where, becuase I found nothing with googling this.

Regards,