Date: Wed, 26 Aug 2009 02:15:01 -0700 (PDT) From: Colin Brace <cb@lim.nl> To: freebsd-questions@freebsd.org Subject: Re: what www perl script is running? Message-ID: <25149271.post@talk.nabble.com> In-Reply-To: <25143778.post@talk.nabble.com> References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com> <20090825082604.41cad357.wmoran@potentialtech.com> <25134056.post@talk.nabble.com> <20090825134250.GA6871@ei.bzerk.org> <25135959.post@talk.nabble.com> <4A943A9B.1030703@cyberleo.net> <25143778.post@talk.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Colin Brace wrote: > > > CyberLeo Kitsana wrote: >> >> Are these files available in a tarball someplace public, for those of us >> who enjoy performing autopsies on virii? > > Sure thing: http://silenceisdefeat.com/~cbrace/www_badstuff.gz > > this tarball contains "tmpfile" which is the misbehaving script as well as > the contents of a directory called ".," which has a bunch of source code > and so on. As indicated earlier, this stuff was installed by user 'www'. > > It should be unpacked in an empty directory. Oops, I missed six more files written by www to /tmp. Here they are: http://silenceisdefeat.com/~cbrace/www_badstuff-2.gz ----- Colin Brace Amsterdam http://lim.nl -- View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25149271.html Sent from the freebsd-questions mailing list archive at Nabble.com.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?25149271.post>