[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Wed Jun 3 20:59:38 UTC 2009
Steven Tardy <sjt5 at its.msstate.edu>

the directory is user:group apache:apache... so check your apache logs....
go over your apache logs with a fine toothed comb.
specifically look for:
  file timestamps that match files in the directory(May 25 13:56).
  POST requests,
     this will usually very quickly show you the requests and the web app hole.
after finding the hole/IP, search your apache logs for all requests from that IP address.

once things have slowed down, be a good netizan and contact yahoo.com abuse to let them 
know about the collection email account.

ps: take a deep breath, it's not the end of the world.


Linux Advocate wrote:
> [root at fwgw unix]# ls -al
> total 4352
> drwxr-xr-x 2 apache apache     360 Jun  3 23:47 .
> drwxrwxrwt 3 root   root        60 Jun  3 00:24 ..
> -rwxr-xr-x 1 apache apache       0 May 19 06:02   124.164.find.22
> -rwxr-xr-x 1 apache apache       0 Mar 24 22:28   129.135.find.22
> -rwxr-xr-x 1 apache apache       0 Mar 24 22:25   129.find.22
> -rwxr-xr-x 1 apache apache       0 May 25 13:54   21.168.find.22
> -rwxr-xr-x 1 apache apache   12687 May 25 06:16  60.191.find.22
> -rw-r--r-- 1 apache apache       0 Jun  3 23:45   83.182.find.22
> -rwxr-xr-x 1 apache apache    4631 Apr 21 17:50   84.2.find.22
> -rwxr-xr-x 1 apache apache       0 May 25 06:17   89.38.find.22
> -rwxr-xr-x 1 apache apache    2362 May 19 15:28   91.204.find.22
> -rwxr-xr-x 1 apache apache     216 May 18  2005   auto
> -rwxr-xr-x 1 apache apache 4374933 May 15 19:41  data.conf
> -rwxr-xr-x 1 apache apache   15729 Oct 14  2005  find
> -rw-r--r-- 1 apache apache    5262 Jun  3 23:45  log
> -rwxr-xr-x 1 apache apache     751 May 25 06:33  unix
> -rw-r--r-- 1 apache apache       0 Jun  3 23:04   vuln.txt
> -rwxr-xr-x 1 apache apache     671 May 25 13:56  x

-- 
Steven Tardy
Systems Programmer
Information Technology Infrastructure
Information Technology Services
Mississippi State University
sjt5 at its.msstate.edu