Question about a (spam-)bot that creates subdirectories in /tmp

Hello out there!

Does anybody known something about a bot or
something similar?

I've found a directory /tmp/,../ with the following content:
total 51
drwxr-xr-x 2 www-data www-data 1024 Jul 25 22:32 .
drwxrwxrwt 7 root root 5120 Jul 25 22:50 ..
-rw-r--r-- 1 www-data www-data 38166 Jul 16 21:43 error.php?tipo=404
-rw-r--r-- 1 www-data www-data 2319 May 17 03:03 go.php
-rw-r--r-- 1 www-data www-data 62 Jul 16 21:44 ok.txt
-rw-r--r-- 1 www-data www-data 44 Jun 19 04:42 teste.txt
-rw-r--r-- 1 www-data www-data 801 Jun 30 01:50 tiranosarro.html

This always can be found when the machine started to send masses
of emails.

Anybody there, who knows where it comes in?

TIA,
Sigmar

> Does anybody known something about a bot or
> something similar?
>
> I've found a directory /tmp/,../ with the following content:
>
> This always can be found when the machine started to send masses
> of emails.

I don't know of a specific worm on UNIX that does this. From the uids I
would assume that someone has compromised your system via the web server,
and has been able to run arbitrary code. Perhaps a vulnerable CGI script or
old PHP version.

You should keep a backup copy of the hard drive for analysis, but your only
option for your Internet connected system is to wipe out everything and
install the OS again, this time making sure that all software is up to date
and unnecessary services are disabled.

--
Jem Berkes
http://www.sysdesign.ca/