Date: Wed, 26 Aug 2009 10:35:46 +0200 From: Colin Brace <cb@lim.nl> To: freebsd-questions@freebsd.org Cc: Steve Bertrand <steve@ibctech.ca> Subject: Re: what www perl script is running? Message-ID: <4A94F3E2.7060306@lim.nl> In-Reply-To: <4A9474BE.6020501@ibctech.ca> References: <4A924601.3000507@lim.nl> <25132123.post@talk.nabble.com> <20090825082604.41cad357.wmoran@potentialtech.com> <25134277.post@talk.nabble.com> <E668BECE594402B585544841@utd65257.utdallas.edu> <20090825120504.93a7c51d.wmoran@potentialtech.com> <6201873e0908250921w46000c2by78893a1c5b581e78@mail.gmail.com> <20090825130616.20ab0049.wmoran@potentialtech.com> <6201873e0908251237n5c819d9ag36f867b5e68e258c@mail.gmail.com> <20090825154358.7c792d3a.wmoran@potentialtech.com> <6201873e0908251511q643f3662nc73f264cbfcfe645@mail.gmail.com> <4A9474BE.6020501@ibctech.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Steve Bertrand said the following on 08/26/2009 01:33 AM: > In this case, OP, look for: > > - directories named as such: > -- ... > -- . .. > -- . . > -- etc, particularly under: > -- /var/tmp > -- /tmp > -- or anywhere else the [gu]id of the webserver could possibly write to > Thanks for the comments, Steve. This has indeed been the case here: there was a bunch of files installed by user 'www' (the webserver) in a directory called ".," in /tmp ; the script itself was in /tmp Someone has suggested to me that the vulnerability might have been in the RoundCube webmail package which I had installed: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0413 "Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary web script or HTML via the background attribute embedded in an HTML e-mail message." -- Colin Brace Amsterdam http://www.lim.nl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A94F3E2.7060306>