From owner-freebsd-questions@FreeBSD.ORG  Mon Feb 27 22:29:04 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5749C16A420
	for <freebsd-questions@freebsd.org>;
	Mon, 27 Feb 2006 22:29:04 +0000 (GMT)
	(envelope-from news@jeremina.homeunix.net)
Received: from jeremina.homeunix.net (jeremino.xs4all.nl [80.126.224.163])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4A3CE43D7C
	for <freebsd-questions@freebsd.org>;
	Mon, 27 Feb 2006 22:28:55 +0000 (GMT)
	(envelope-from news@jeremina.homeunix.net)
Received: from news by jeremina.homeunix.net with local (Exim 4.42)
	id 1FDqqo-0000gb-3D
	for freebsd-questions@freebsd.org; Mon, 27 Feb 2006 23:28:18 +0100
From: Kees Plonsz <replyREMOVE_THIS@serve.myown.framed.net>
X-Newsgroups: list.fbsd.questions
Date: Mon, 27 Feb 2006 23:28:17 +0100
Organization: None
Lines: 19
Message-ID: <dtvue1$2ig$1@jeremina.homeunix.net>
References: <4403758C.3080401@yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7Bit
X-Complaints-To: usenet@jeremina.homeunix.net
X-Face: dtAN(p3{]qk\XP?#Z/w4D6D%"{t}6EFQIEv.YCM-L).KZ#M-1|:kgToZn*t!H^|(gS/A9MOa#T]^~A:sn=q[vw\n8S"<V"(jr*ZzHgxl;
	>QP97/MLO}L[Jq*5f+&lY_8ij@3; sbZ/>F$[*hrNX`hu/e<VrG(gr;
	!$iRVnfPI/r.-hV&m\Y7Owz9w$*7`f2?y~t2c~G|#v$cb7lAY1Y:ZJ*1n|Bp[':~?rw^q_PdCZyC7O!:Z~rB72Q$G!;
	j<VF~'Z4OC6A+>(\%m.kc~(EV#knmO@,9$615zns'>?E_?[bWyW%-Jp=Gj?oB9P`h8ua@C0_g/!K__/'EP^i;
	kBAjRTa/hoV
To: freebsd-questions@freebsd.org
Sender: News Subsystem <news@jeremina.homeunix.net>
Subject: Re: Apparent Hack attempt filling partition
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2006 22:29:04 -0000

Steel City Phantom wrote on Monday 27 February 2006 22:56:

> It seems that on friday i had some kind of hack scanner hit one of my
> servers.  it went thru the website looking for scripts, i believe it was
> my hosting company that did it with their vulnerability scanner.  The
> problem is that for some reason, the server was kicked into a loop
> failing on a perl script that eventually filled the /var partition with
> a 1 gig error log file and brought mysql down for lack of temp space to
> run some queries.  

I think that is the "Net-Worm.Linux.Mare.d".
It not a special for linux but works on all *unix machines
with PHP XML-RPC library and MAMBO.
One of the files it uses is ping.txt:

> mv: ping.txt: No such file or directory

http://www.f-secure.com/v-descs/mare_d.shtml