neil...
the ps he showed, showed the 'atack' processes being run by the apache user...
i'm incined to agree that he should take the machine offline, but i don't know what the 'atack' processes are, and unless his system is really f*ed up.. i'm inclined to think the processs is something on his server...
now, how it got there is a curious issue that he's going to have to address..
but this is why i specifically asked the kinds of web apps he's running on his server...
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org]On Behalf Of Neil Aggarwal Sent: Tuesday, June 02, 2009 10:03 PM To: 'CentOS mailing list' Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
Bruce:
I think you are misunderstanding something. He showed a process listing of processes running on his server. Those were not apache processes being attacked from the outside. They were rogue processes running on his machine.
Neil
-- Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com for details.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of bruce Sent: Tuesday, June 02, 2009 11:49 PM Cc: 'CentOS mailing list' Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
nope...
not kidding... the majority of windows based attacks on an apache system running on linux systems are obnoxiousm but not harmful... the kinds of attacks that are looking to exploit windows buffer overflows are harmless to linux systems..
this isn't to say that all windows attacks are harmless, but this has been my experience, as well as what i've seen in the lit.
if you have other information regarding windows attaks on webservers, that also impact linux boxes, please share the relevant websites, describing the attack vectors.. i'd be interested in checking out the articles as would others...
but go ahead and reply to me online, as others might be interested in this thread as well...
-----Original Message----- From: John R. Dennison [mailto:jrd@gerdesas.com] Sent: Tuesday, June 02, 2009 9:41 PM To: bruce Cc: 'CentOS mailing list' Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
On Tue, Jun 02, 2009 at 09:34:55PM -0700, bruce wrote:
it's possible your box is attacked, has been compromised.. of it's
possible
that it's also being slammed by some sort of potential attack/hack. regarding the apache app, what do the log files say... what
apps do you have
running on the apche server? are these apps home grown, or
installed from
some public source?
He has multiple occurances of a process named "atack", each running with an argument of 100. Looks like a DoS to me.
do the research online to see what kind of attack you might have...
It's irrelevant except as a learning exercise in forensics.
it might be that your box is completely safe...
You're kidding, right?
you might also track/monitor any kind of attempt at the box
communicating
with other ip addresses that you aren't using....
The longer that box stays on the net the more potential damage it can (and most likely *will* do).
doing a complete reinstall is a draconian measure and may
not be called
for...
You're kidding, right?
John-- "I'm sorry but our engineers do not have phones." As stated by a Network Solutions Customer Service representative when asked to be put through to an engineer.
"My other computer is your windows box." Ralf Hildebrandt <sxem> trying to play sturgeon while it's under attack is apparently not fun.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos