[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

William L. Maltby CentOS4Bill at triad.rr.com
Sun Jun 14 01:02:30 UTC 2009


On Sat, 2009-06-13 at 00:19 -0700, Linux Advocate wrote:
> <snip>
> > 
> > Note that /dev/shm is a tempfs file system. It will be dynamically
> > populated. I would expect the attack vector still resides on your system
> > somewhere else.
> > 
> 
> 
> i m looking for it bro...the machine is disconnected frm the net but i have not formatted it yet... i really need to know how it happened....

Have you run the rpm with the --verify? You'll need to get another
option or two to get it to give more verbose information.

It occured to me too that find file not providfed by any package might
give some clues (although most of what it may return will not be
problems). If you get a list of all file (use find so even "hidden" ones
appear) and then use rpm to find out --whatprovides you should get a
bunch - some user and a few not user files. These become candidates for
further inspection. There's always going to be a few that are not from a
package but are OK.

Good luck on your detecting.

<snip sig stuff>

-- 
Bill




More information about the CentOS mailing list