[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Wed Jun 3 15:06:55 UTC 2009
William L. Maltby <CentOS4Bill at triad.rr.com>

On Wed, 2009-06-03 at 06:29 -0700, Linux Advocate wrote:
> <snip>

> i tried googling for 'centos apache atack" but did not get anything substantial. 
> i tried locating a binary file called ' atack' but got nothing.

Just an FYI to all those who may not know:

$ cat test.c
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
main(int argc, char *argv[])
{
sleep(15);
strcpy(argv[0],"test.c");
sleep(15);
exit(0);
}

$ cc test.c
[wild-bill at centos501 ~]$ ./a.out&
[2] 7359
[wild-bill at centos501 ~]$ ps -ef|tail -4
500       7323  4104  0 10:52 ?        00:00:00 spamd child
500       7359  4025  0 10:54 pts/0    00:00:00 ./a.out
500       7360  4025  0 10:54 pts/0    00:00:00 ps -ef
500       7361  4025  0 10:54 pts/0    00:00:00 tail -4
[wild-bill at centos501 ~]$ sleep 15;ps -ef|tail -4
500       7323  4104  0 10:52 ?        00:00:00 spamd child
500       7359  4025  0 10:54 pts/0    00:00:00 test.c 
500       7363  4025  0 10:54 pts/0    00:00:00 ps -ef
500       7364  4025  0 10:54 pts/0    00:00:00 tail -4

I haven't checked in a long time, but maybe there's some stuff in
process group headers that might give a clue to follow? Been a *long*
time since I dinked with that stuff, so I'm not sure.

One thing to check for is anything with an suid bit set that is owner
apache (again a long time, but I think that will do it) that you suspect
is "wrong". Sometime clues reside in timestamps on the executables.
Might need to do your snooping in single-user mode off a recovery CD
since well-crafted attacks hide themselves and overlay commands that
might be used to detect them.

Barring all else, an rpm -qa --last will show installs by date and a
--verify might yield some clues. You can "find" with various time checks
(-newer or -mtime?) to see all files and directories that have been
changed since the last rpm activity prior to the detection of the
problem. However, these can also be modifed to reduce the chance of
detection.

<snip>

HTH
-- 
Bill