deleted perl hacks in /tmp

linux-admin.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Chris <chris@deksai.com>
To: linux-admin@vger.kernel.org
Subject: deleted perl hacks in /tmp
Date: Thu, 15 Apr 2010 17:36:41 -0400	[thread overview]
Message-ID: <20100415213631.GA1251@chris-laptop.a2hosting.com> (raw)

I have some web servers which occasionally have hacks that are uploaded that
change their name to look like apache and somehow get apache to send requests
to them.  The result is that people somewhat randomly get pages advertising
self enhancing drugs etc.  The hacks are perl scripts, but they are run from
/tmp and then deleted.  Trying to get anything out of /proc/pid/fd/whatever
just yields an empty file.  Anyone have any ideas on how to recover the
original script?  Right now I just have a process checking for them and
whacking them when I see them, but I'd like to know more about them to actually
prevent them from happening.

Any thoughts would be appreciated!

Chris

next             reply	other threads:[~2010-04-15 21:36 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-04-15 21:36 Chris [this message]
2010-04-16  1:42 ` deleted perl hacks in /tmp Dwight Hubbard
2010-04-16  4:43   ` Alex
2010-04-16  9:28 ` terry white
2010-04-16 15:45   ` Chris
2010-04-16 20:38     ` Herta Van den Eynde
2010-04-16 21:27       ` Chris
2010-05-01 19:27         ` Alex

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100415213631.GA1251@chris-laptop.a2hosting.com \
    --to=chris@deksai.com \
    --cc=linux-admin@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).