My replies below.... i m just so down in the dumps now....aaahhhhh
----- Original Message ----
From: Neil Aggarwal neil@JAMMConsulting.com To: CentOS mailing list centos@centos.org Sent: Wednesday, June 3, 2009 1:38:05 PM Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
The original poster stated he did know how what the process was. He stated he believed the machine was being attacked. He asked for advice from the community on how to handle the situation.
yes. this was and is still my understanding. This was what 'top' showed...
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 23119 apache 15 0 964 556 472 S 0.7 0.0 0:03.68 atack 23479 apache 15 0 964 556 472 S 0.7 0.0 0:01.94 atack 22170 apache 15 0 964 560 472 S 0.3 0.0 0:05.23 atack 22375 apache 15 0 964 560 472 S 0.3 0.0 0:04.21 atack 22858 apache 15 0 964 560 472 S 0.3 0.0 0:02.87 atack
'ps -ef' showed
apache 24253 23378 0 10:54 ? 00:00:00 ./atack 100 apache 24286 23378 0 10:59 ? 00:00:00 ./atack 100 apache 24292 23378 0 11:00 ? 00:00:01 ./atack 100 apache 24335 23378 0 11:01 ? 00:00:00 ./atack 100
The original poster's statments imply it was not put there by an authorized user.
yes , no one but me has access to the machine.
Someone does not just casually assume a machine has been hacked. They have a reason for suspecting it.
Applications running;
1 - horde groupware webmail edition, just the framework though. 2 - phpmyadmin 3 - postfixadmin 4 - postfix 5 - dovecot 6. fail2ban 7. monit
2 -> 7 i installed from the repos.
The centos box was running 5.2 when i first noticed the 'slowness'. i then updated to 5.3 hoping that the problem would go away.
i am not worried abt reinstalling ( i loathe doing it ) but my worry here ( as some of you have accurately pointed out ) is that the 'issue' will repeat again bcos i just downt know what happened. I m just surprised that a centos box was compromised.
The box is unplugged now.
Any more ideas?
Regards, Maco.