Hi,

You don't need passwords is you have vulnerable scripts or malware php
scripts. If you don;t have an AV solution, you need one. Try AVG,
its free, it works. Once installed do a basic scan: *avgscan -x
/var/lib/ntp/proc -P -p -r ~/avgscan.log /* Evil will show up in the
logs as follows:


Code:
--------------------
/build/event/a.2/linux9 Virus identified Linux/Brk.B
/build/event/ijoo/bot/xh Virus identified Linux/ProcHider.C
/build/event/infected.surveys.businessOfficer.r57.php Trojan horse PHP/BackDoor.R57Shell
/build/event/infected.lib.ldd.so/tks Virus identified Linux/Sysniff.B
/build/event/infected.sbin.syslogd Virus identified Linux/Agent2.AA
/build/event/infected.usr.bin.slocate Virus identified Linux/Agent.V
--------------------


Any of that stuff means you have been infested with a backdoor that
lets them do whatever they like, whenever they like. If your full scan
comes up clean ( thats good! ) then its a poorly written script allowing
SQL injection, or whatever....

Please look at your HTTP logs ( e.g. /var/log/apache2/access_log and
error_log ) and look for SQL or Perl injection. Perl injection
typically have a lot of semicolons. For example:


Code:
--------------------
"GET /scgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id; echo%20YYY;echo|
"GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id; ;echo%20YYY;echo|
"GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id; echo%20YYY;echo|
"GET /cgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id; echo%20YYY;echo|
"GET /main.php?cmd=setquality&var1=1%27.passthru%28%27id %27%29.%27;
"GET /scgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id; echo%20YYY;echo|
"GET /phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id %27%29.%27;
"GET /cgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id; echo%20YYY;echo|
"GET /scgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id; echo%20YYY;echo|

--------------------


SQL injection is similar. You'll see SQL statements being injected.

You can tell if these are being executed by comparing to the error_log
entries.

Google any of these topics, they are not, in any way SLES specific.

-- Bob


--
Bob Mahar -- Novell Knowledge Partner
Do you do what you do at a .EDU? http://novell.com/ttp
"Programming is like teaching a jellyfish to build a house."
More Bob: 'Twitter' (http://twitter.com/BobMahar) 'Blog'
(http://blog.trafficshaper.com) 'Vimeo' (http://vimeo.com/boborama) <--
Click And Be Amazed!
------------------------------------------------------------------------
Bob-O-Rama's Profile: http://forums.novell.com/member.php?userid=5269
View this thread: http://forums.novell.com/showthread.php?t=448977