On Mon, 14 Nov 2005, Matt Graham wrote:

I don't see the lupii file in /tmp. I see the following:

There is no netstat output with lupii.

Okay, so you're (probably) a victim of the awstats hole, but not the worm that exploits it.

It's been a while since I've done an apt-get upgrade. Those always seem to make my system unbootable for some reason, so I guess I put them off too long.

Subscribe to debian-security@lists.debian.org. Then just upgrade the packages you're running that have security holes.

I'd be real interested in what returns if you do a # zgrep awstats.pl? /var/log/apache/access.log.?.gz|less

That'd show who was testing for the exploit in the last 10 weeks, and probably the exploit itself. I'm still assuming that the awstats hole is the method of entry, as you were vulnerable and the above "grep" run on three separate web servers show 25 to 37 exploit attempts each.

I'd also be curious if what you get by running a

# ps -u www-data

which would show any processes running that are owned by the www-data user. If you've got anything other than a web servers and gcache, kill the process and save the file for forensics.

My plan is to backup important stuff, format the system partition (my /home is on a different drive altogether), reinstall debian stable and do regular (weekly?) apt-get updates.

You might try mondoarchive as a last ditch bare-metal recovery backup system. It hisorically has had a few issues running on debian, but worked for me the one time my normal backups were corrupted and I _really_ needed it.

Regards,

-Don