[rfk-dev] robotfindskitten.cgi considered harmful?
Martin Pool
mbp@samba.org
Tue, 3 Jul 2001 09:02:31 +1000
On 2 Jul 2001, "Peter A. Peterson II" <pedro@tastytronic.net> wrote:
> You might have noticed that the robotfindskitten.cgi page at
> kathleen.northpark.edu is down. This is because the box has crashed. I'm
> not sure why; it's possible that there was a power outage that left the
> drive in an unbootable way, or that it was hax0red, but
> robotfindskitten.cgi is the only change I made to it in the last 6
> months. Is there anything I should look for in attempting to detect
> either an intrusion or a catastrophic failure? I could mount this drive
> on two-bit next week if anyone cares to inspect it.
I hope that's not why. I did warn that somebody else should check for
problems, though.
You can start by booting from a CD (if possible) and running the
current version of
http://freshmeat.net/projects/checkrootkit/
If it's a RedHat machine, then you can try using rpm --verify.
There's also this recent article:
http://www.cchem.berkeley.edu/College/unix/docs/rootkit.html
Also, it would be good to configure that program to run as a nobody
user using apache's cgi setuid wrapper.
Talk to me off the list if you would like more help.
--
Martin