[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
Linux Advocate
linuxhousedn at yahoo.com
Wed Jun 3 13:22:32 UTC 2009
My replies below.... i m just so down in the dumps now....aaahhhhh
----- Original Message ----
> From: Neil Aggarwal <neil at JAMMConsulting.com>
> To: CentOS mailing list <centos at centos.org>
> Sent: Wednesday, June 3, 2009 1:38:05 PM
> Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
>
> The original poster stated he did know how what
> the process was. He stated he believed the machine
> was being attacked. He asked for advice from the
> community on how to handle the situation.
yes. this was and is still my understanding. This was what 'top' showed...
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
23119 apache 15 0 964 556 472 S 0.7 0.0 0:03.68 atack
23479 apache 15 0 964 556 472 S 0.7 0.0 0:01.94 atack
22170 apache 15 0 964 560 472 S 0.3 0.0 0:05.23 atack
22375 apache 15 0 964 560 472 S 0.3 0.0 0:04.21 atack
22858 apache 15 0 964 560 472 S 0.3 0.0 0:02.87 atack
'ps -ef' showed
apache 24253 23378 0 10:54 ? 00:00:00 ./atack 100
apache 24286 23378 0 10:59 ? 00:00:00 ./atack 100
apache 24292 23378 0 11:00 ? 00:00:01 ./atack 100
apache 24335 23378 0 11:01 ? 00:00:00 ./atack 100
> The original poster's statments imply it was not put
> there by an authorized user.
yes , no one but me has access to the machine.
> Someone does not just
> casually assume a machine has been hacked. They
> have a reason for suspecting it.
Applications running;
1 - horde groupware webmail edition, just the framework though.
2 - phpmyadmin
3 - postfixadmin
4 - postfix
5 - dovecot
6. fail2ban
7. monit
2 -> 7 i installed from the repos.
The centos box was running 5.2 when i first noticed the 'slowness'. i then updated to 5.3 hoping that the problem would go away.
i am not worried abt reinstalling ( i loathe doing it ) but my worry here ( as some of you have accurately pointed out ) is that the 'issue' will repeat again bcos i just downt know what happened. I m just surprised that a centos box was compromised.
The box is unplugged now.
Any more ideas?
Regards,
Maco.
More information about the CentOS
mailing list