[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Wed Jun 3 05:03:08 UTC 2009
Neil Aggarwal <neil at JAMMConsulting.com>

Bruce:

I think you are misunderstanding something.
He showed a process listing of processes running
on his server.  Those were not apache processes
being attacked from the outside.  They were rogue
processes running on his machine.

	Neil

--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.  

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of bruce
> Sent: Tuesday, June 02, 2009 11:49 PM
> Cc: 'CentOS mailing list'
> Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? 
> Oh hell....
> 
> nope...
> 
> not kidding... the majority of windows based attacks on an 
> apache system
> running on linux systems are obnoxiousm but not harmful... 
> the kinds of
> attacks that are looking to exploit windows buffer overflows 
> are harmless to
> linux systems..
> 
> this isn't to say that all windows attacks are harmless, but 
> this has been
> my experience, as well as what i've seen in the lit.
> 
> if you have other information regarding windows attaks on 
> webservers, that
> also impact linux boxes, please share the relevant websites, 
> describing the
> attack vectors.. i'd be interested in checking out the 
> articles as would
> others...
> 
> but go ahead and reply to me online, as others might be 
> interested in this
> thread as well...
> 
> 
> -----Original Message-----
> From: John R. Dennison [mailto:jrd at gerdesas.com]
> Sent: Tuesday, June 02, 2009 9:41 PM
> To: bruce
> Cc: 'CentOS mailing list'
> Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? 
> Oh hell....
> 
> 
> On Tue, Jun 02, 2009 at 09:34:55PM -0700, bruce wrote:
> > it's possible your box is attacked, has been compromised.. of it's
> possible
> > that it's also being slammed by some sort of potential attack/hack.
> > regarding the apache app, what do the log files say... what 
> apps do you
> have
> > running on the apche server? are these apps home grown, or 
> installed from
> > some public source?
> 
> 	He has multiple occurances of a process named "atack", each
> 	running with an argument of 100.  Looks like a DoS to me.
> 
> > do the research online to see what kind of attack you might have...
> 
> 	It's irrelevant except as a learning exercise in forensics.
> 
> > it might be that your box is completely safe...
> 
> 	You're kidding, right?
> 
> > you might also track/monitor any kind of attempt at the box 
> communicating
> > with other ip addresses that you aren't using....
> 
> 	The longer that box stays on the net the more potential damage
> 	it can (and most likely *will* do).
> 
> > doing a complete reinstall is a draconian measure and may 
> not be called
> > for...
> 
> 	You're kidding, right?
> 
> 
> 
> 
> 
> 							John
> 
> --
> "I'm sorry but our engineers do not have phones."
> As stated by a Network Solutions Customer Service 
> representative when asked
> to
> be put through to an engineer.
> 
> "My other computer is your windows box."
>                                      Ralf Hildebrandt
> <sxem> trying to play sturgeon while it's under attack is 
> apparently not
> fun.
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos