On Mon, 14 Nov 2005, Matt Graham wrote:
Yikes. Check out what apt-get says when I tell it to upgrade.
That's a big list. Should I be afraid for my system if I say yes? Or do I trust apt to do it's thing? Should my system be in any type of runlevel when I do this? Can I do this from an ssh session?
Are you running "stable", aka sarge? If so, then go ahead and upgrade if you want, it should be okay. Changing runlevels isn't necessary. You can do it from ssh.
But, we don't know that your system has been purged of bad stuff. We _think_ that there are processes running as the www-data user, but I didn't see your output from the ps -u www-data command. It seems logical that your box wasn't rooted, but I'm just guessing from behind an opaque curtain. There was a local root exploit in the 2.4 and 2.6 kernels about a year ago, and if your installation is 9 months old or older, you might well have been rooted.
I just looked it up, versions kernels < 2.4.30 and < 2.6.10 are vulnerable. If you're running a kernel older than these, reinstall.
Either way, removing awstats removed the access hole, but didn't necessarily remove anything else that might have been uploaded to your machine. Bad guys have been using your box, and you don't know what all they might have done. We are assuming at this point that everything that they did was done as www-data, your apache owner.
Do a # find / -user www-data > /tmp/www-data_owned_files.txt
then look through it for funny stuff. But, if your kernel is older than the versions listed above, reinstall anyway.
That's just my opinion.
-Don