Outage was during some investigating I needed to do.

Seems that I had 3 daemons runnign I knew nothing about.

They were all running as the web-server. Basically no write access except for /var/tmp period.

I discovered a coupla things in /var/tmp:

-rw-r--r--  1 www-data www-data 11756 Nov 20 20:03 bd2.pl\n-rwxrwxrwx  1 www-data www-data 18712 Nov 20 22:25 bind\n-rwxrwxrwx  1 www-data www-data 19242 Nov 20 02:20 r0nin\n-rw-r--r--  1 www-data www-data 19242 Nov 20 02:22 r0nin.1

bd2.pl its first few lines:

#!/usr/bin/perl\n# Telnet-like Standard Daemon 1.0\n#\n#    Dark_Anjo - dark_anjo666@hotmail.com\n#            - dark_anjo@nucleozero.com.br\n#            - www.xn.rg3.net\n#            - www.red.not.br/xn\n#\n#  For those guys that still like to open ports\n#  and use non-rooted boxes\n#\n#  This has been developed to join in the TocToc\n#  project code, now it's done and I'm distributing\n#  this separated\n#\n#  This one i made without IO::Pty so it uses\n#  only standard modules... enjoy it\n#\n#  tested on linux boxes.. probably will work fine on others\n#  any problem... #expl0its@irc.brasnet.org\n#

bind and r0nin are Binary files... They both do the listen on >1024 ports thinger for shell access.

BUT, since I don't allow-in any ports except ones I know about for each machine... they couldn't be used. Sure helps to be anal about these things.

Now, how did they come to be on the machine you ask?

Through the use of twiki.iwethey.org and PHP. Only because PHP needs to use temporary space. This is widely known and I knew the risks by not using SAFEMODE (or what ever it is called.) Nobody was able to login to knight to try things.

Guess I'll have to enable PHP only for those sites needing it. Oh and force Drew to use SAFE MODE on PHP... :)

Here is the actual source code for the r0nin daemon: [link|http://invaultech.com/files/cat/Hacks/webFileBrowser.php?act=show&subdir=NEWFILES&sortby=name&file=cgi.c|r0nin code]

And here is a rundown of the bind daemon: [link|http://www.securityfocus.com/archive/100/247640|Remote Shell Trojan or RST.b].

Both of these are pretty darn harmless if nobody can connect to the ports. I have done an MD5 check and a some rootkit checks on all critical file-systems... /var/tmp and /tmp (mainly because stuff is there during normal operation) are the only suspicious areas.

Which BTW, the files are gone and I'll be changing PHP's mode. So Drew if your junk fails to work proper. You are gonna need to fix it. If you need the other mode... you are going to have to do some serious convincing.

(edit)There take that DREWK. You are getting a bit pedantic lately or am I just starting to notice it?

...is that I have a lot of tables that go wider than the display size - when you've got possibly a hundred columns in a table, it can be hard to view in the monitor width. Anyway, once the table exceeds the window boundary, the table layout rules should give up trying to squeeze it back in. Similar to the way lists used to operate in the IWE forums where the right shift would eventually mean that you get one word per line.

Not that this has anything to do with you current predicament... But it reminds me that the one column says use 100% while the other is not 0%... I've seen that method used not infrequently, but I still I'm not comfortable with it.

Edit Note: The other thing I wonder is whether specifying the width attribute in the style in the first column but doing it in the td attribute in the other is the problem. Will it work if they are both set in the same manner (i.e. both as width= or both as style='width:").

Welcome to IWETHEY!