[Modsecurity] Shellbot installation via lynx -lp
Michal Wallace
michal at sabren.com
Fri Sep 14 11:10:09 EDT 2007
On Thu, 13 Sep 2007 admin at efastservers.com wrote:
> I cant understand how lynx -lp is being executed. If its chmod 750 nobody
> from the internet can execute the command. Why do I think its lynx -lp?
> Because I killed a pid that was executing lynx -lp as the user nobody.
I bet it's not lynx. I bet the app just changes the
name of the running process to make it LOOK normal.
If you freeze it with kill -STOP and poke around in
the /proc dir for the process, you'll probably see
it started from another directory.
Sincerely,
Michal J Wallace
Sabren Enterprises, Inc.
-------------------------------------
contact: michal at sabren.com
hosting: http://www.cornerhost.com/
my site: http://www.withoutane.com/
-------------------------------------
More information about the Modsecurity
mailing list