Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Matt, great idea.... I FOUND SOMETHING... pls see below...

________________________________

From: Matt lm7812@gmail.com To: CentOS mailing list centos@centos.org Sent: Thursday, June 4, 2009 4:40:57 AM Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 23119 apache 15 0 964 556 472 S 0.7 0.0 0:03.68 atack

When i 'ps -ef' i can see many lines as below;

apache 24253 23378 0 10:54 ? 00:00:00 ./atack 100 apache 24286 23378 0 10:59 ? 00:00:00 ./atack 100

I good tool to have on your linux box that may help, some. http://rkhunter.sourceforge.net/ http://rpmfind.net/linux/rpm2html/search.php?query=rkhunter After installing do. rkhunter --update rkhunter -c And see if it finds anything.

I DID FIND SOMETHING...NOT SURE WHAT THOUGH ;)

* Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ Warning! ] --------------- /etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev --------------- Please inspect: /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression) /dev/.udev (directory)

The contents of the /dev/.udev folder;

drwxr-xr-x 2 root root 540 Jun 8 15:41 db drwxr-xr-x 2 root root 740 Jun 8 15:41 failed -rw-r--r-- 1 root root 4 Jun 8 15:42 uevent_seqnum

The contents of the ../man1/ folder ;

[root@fwg man1]# ls -al :.1.gz -rw-r--r-- 1 root root 40 Jan 22 09:14 :.1.gz

[root@fwgw man1]# ls -al [.1.gz -rw-r--r-- 1 root root 40 Jan 22 09:14 [.1.gz

Anything out of the ordinary?

---------------------------- Scan results ----------------------------

MD5 scan Skipped <--- WHY SKIPPED ? bcos OS unknown as shown in the NOTE below?

File scan Scanned files: 342 Possible infected files: 0

Application scan Vulnerable applications: 0

Scanning took 32 seconds

....................... end .........................................

NOTE: When we run rkhunter, rkhunter says the lines below...eventhough i installed frm the centos repo? but still it says its an unknown OS

Rootkit Hunter 1.2.9 is running Determining OS... Unknown Warning: This operating system is not fully supported! All MD5 checks will be skipped!

Anything out of the ordinary?