[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

John R Pierce pierce at hogranch.com
Sun Jun 14 06:08:10 UTC 2009


Linux Advocate wrote:
> DID THIS GUY ACTUALLY SAVE A FILE ON MY HARD DISK??? 
> AAAAAAHHHHHHHHHHHHHHHHHHHH???????????????
>
> Was this why rkhunter popped out with this warning?
>
> * Filesystem checks
>    Checking /dev for suspicious files...                      [ OK ]
>    Scanning for hidden files...                               [ Warning! ]
> ---------------
> /etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev
> ---------------
> Please inspect:  /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression)  /dev/.udev (directory)
>
> Should i delete these files? are the man files nromally .gz or .bz2 ?
>
> There is also a similar entry, where another file called unix2.tgz was downloaded....
>
> But i cant find these files on the HDisk?
> guys i am out of my league here. All assistance is deeply appreciated.
>   

I *hope* this machine is disconnected from the internet and running a 
liveCD to investigate this

yes, it appears you've been hacked, and have stealth files (any file 
with . in front oft he name is hidden and would only show with ls -a and 
if you  *are* rootkitted, there's a strong possibility your ls and other 
command tools have been replaced..

and, it appears it came in via an exploit in that horde framework (I 
know nothing about horde)





More information about the CentOS mailing list