[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Sat Jun 13 13:58:51 UTC 2009
Filipe Brandenburger <filbranden at gmail.com>

Hi,

On Sat, Jun 13, 2009 at 03:19, Linux Advocate<linuxhousedn at yahoo.com> wrote:
> i'm looking for it bro...the machine is disconnected frm the net but
> i have not formatted it yet... i really need to know how it happened....

I suggest you start by looking at Apache's logs, look for very strange
URLs hat have nothing to do with the applications you have there, like
.exe files (IIS attacks) or other .cgi or .php files that will give
you 404 errors. Also look for things in the error_log file. And then
look for other accesses from the same IP (assuming it's always from
the same IP) to files that do exist, this will probably lead you to
what was used to break in. Continue the investigation from there.

Also, you can use "stat /dev/shm/unix" to find the "ctime" of that
directory, or look into the modification time of "/dev/shm" to try to
figure out when "/dev/shm/unix" directory was created, then you can
look for accesses at that time in your Apache logs to figure out which
script was used for the break in.

Usually script kiddies will run a series of attacks on your machine,
which will generate logs with errors. Unless the attacker got root
access (which apparently he did not, as he was running his program as
user apache) he would not be able to delete logs, so the evidence
should still be there.

HTH,
Filipe