[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Wed Jun 3 13:22:32 UTC 2009
Linux Advocate <linuxhousedn at yahoo.com>

My replies below.... i m just so down in the dumps now....aaahhhhh



----- Original Message ----
> From: Neil Aggarwal <neil at JAMMConsulting.com>
> To: CentOS mailing list <centos at centos.org>
> Sent: Wednesday, June 3, 2009 1:38:05 PM
> Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
> 

> The original poster stated he did know how what 
> the process was.  He stated he believed the machine
> was being attacked.  He asked for advice from the
> community on how to handle the situation.

yes. this was and is still my understanding. This was what 'top' showed...

PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
23119 apache    15   0   964  556  472 S  0.7  0.0   0:03.68 atack
23479 apache    15   0   964  556  472 S  0.7  0.0   0:01.94 atack
22170 apache    15   0   964  560  472 S  0.3  0.0   0:05.23 atack
22375 apache    15   0   964  560  472 S  0.3  0.0   0:04.21 atack
22858 apache    15   0   964  560  472 S  0.3  0.0   0:02.87 atack


'ps -ef'  showed 


apache   24253 23378  0 10:54 ?        00:00:00 ./atack 100
apache   24286 23378  0 10:59 ?        00:00:00 ./atack 100
apache   24292 23378  0 11:00 ?        00:00:01 ./atack 100
apache   24335 23378  0 11:01 ?        00:00:00 ./atack 100


> The original poster's statments imply it was not put 
> there by an authorized user.

yes , no one but me has access to the machine.

>  Someone does not just
> casually assume a machine has been hacked.  They
> have a reason for suspecting it.

Applications running;

1 - horde groupware webmail edition, just the framework though.
2 - phpmyadmin
3 - postfixadmin
4 - postfix
5 - dovecot
6. fail2ban
7. monit

2 -> 7 i installed from the repos.

The centos box was running 5.2 when i first noticed the 'slowness'. i then updated to 5.3 hoping that the problem would go away.

i am not worried abt reinstalling ( i loathe doing it ) but my worry here ( as some of you have  accurately pointed out ) is that the 'issue' will repeat again bcos i just downt know what happened. I m just surprised that a centos box was compromised.

The box is unplugged now. 

Any more ideas?

Regards,
Maco.