[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Wed Jun 3 05:18:03 UTC 2009
bruce <bedouglas at earthlink.net>

you and i agreee on him figuring out what web apps are causing the issues..
or in fact, exactly what the 'atack' process is?  i didn't see the initial
threads.. was this simething that he discussed? did he say what the arack
process was doing?

my only point, was that reinstalling wotjout understanding what was/is going
on is a draconian step.. does it resolve the issue.. sire.. does it get to
what might have been the cause.. not in my opinion...

but hey.. there are different ways of approaching a problem...



-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org]On
Behalf Of John R. Dennison
Sent: Tuesday, June 02, 2009 10:10 PM
To: CentOS mailing list
Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....


On Tue, Jun 02, 2009 at 09:48:41PM -0700, bruce wrote:
>
> not kidding... the majority of windows based attacks on an apache system
> running on linux systems are obnoxiousm but not harmful... the kinds of
> attacks that are looking to exploit windows buffer overflows are harmless
to
> linux systems..
>
> this isn't to say that all windows attacks are harmless, but this has been
> my experience, as well as what i've seen in the lit.
>
> if you have other information regarding windows attaks on webservers, that
> also impact linux boxes, please share the relevant websites, describing
the
> attack vectors.. i'd be interested in checking out the articles as would
> others...

	Not to be rude but what you are rambling on about?

	He's running an apache instance on cent5.  He has processes he
	can not readily identify running under apache named "atack";
	where does "windows" come into the equation?  What the processes
	are specifically doing is secondary to the problem at hand,
	which is that the processes exist in the first place.

	Please, enlighten me as to how you can think that his box has
	not been compromised.  Please, enlighten me as to how he (or
	you) can gauge the extent of the compromise (assuming no HIDS
	in use on the server).

	I stand by my previous advice - the box is compromised, can not
	be trusted, and as a responsible admin he should be working on
	re-installing it, evaluating what web-apps he had running that
	led to this in the first place and taking the appropriate steps
	to ensure it does not happen again.





							John

--
"I'm sorry but our engineers do not have phones."
As stated by a Network Solutions Customer Service representative when asked
to
be put through to an engineer.

"My other computer is your windows box."
                                     Ralf Hildebrandt
<sxem> trying to play sturgeon while it's under attack is apparently not
fun.