[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Bob Hoffman bob at bobhoffman.com
Wed Jun 3 20:15:31 UTC 2009


 
> > > It would be prudent to review his web code to see if he did 
> > > something in an insecure way.  If his code is open to attack, it 
> > > will be so even if he puts it on a new machine.
> > 
> > 	Hence my statements to evaluate the web-apps he has running :)
> > 
> > 	I will bet dollars to donuts he had a web app with a known issue
> > 	that was not patched.  Also goes back to my previous statement
> > 	of fully patching.
> Dollars to Donuts ehhh???
> How many donuts you think it will take to pay for legal costs 
> and clean up if there are customer data on the machine? I 
> think right about now I
> would:
> 1. Notify Risk Management and Your Compliancy Officer.
> 2. Take it off the network connections.
> 3. Do a live rsync and dd image + ram copy = running processes/hidden.
> 4. Same as 3. but with the machine off.
> 5. The company attorney needs to be notified.
> 6. By State and Federal Law in the US you have so many days 
> to report incidents like this to users (customers) and law 
> enforcement.


I would say, if he is local to the datacenter, pull the machine.
Take it home and analyze what is going on with it. 
Reinstalling does nothing to keep it from happening as soon as it is back on
the net.

The admin must find out what it is. I think we all agree on somethings..

1- disconnect from the internet
2- back up all data
3- virus/trojan scan all data backed up
4 - after figuring out what is happening and how it has happened....
4a - root kit? Other security programs? Virus/trojan check again.
4c- check all logs of any kind for any sort of key on anything sent out from
the server.
5- reinstall, patch, readd data
6- check for issues regarding the original issue.

I think everyone is on the same page but does not know it.
I think every single person reading this would love to see not only the
resolution but what caused it and any info on preventing it.




More information about the CentOS mailing list