[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Wed Jun 3 04:02:38 UTC 2009
Neil Aggarwal <neil at JAMMConsulting.com>

Hello:

If there are processes running on your machine 
which you do not recognize, assume the machine has
been compromised.  Take it offline and wipe it
immediately.

	Neil

--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.  

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of Linux Advocate
> Sent: Tuesday, June 02, 2009 10:23 PM
> To: CentOS mailing list
> Subject: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
> 
> 
> Guys, apache cpus usage is hitting 100% sometimes ( to such 
> an extent that its very noticeable)  on a box with just 8 users or so.
> 
> i m getting this when i run 'top'. The worrying thing is 
> seeing the work 'atack' under command
> 
> 
> PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
> 23119 apache    15   0   964  556  472 S  0.7  0.0   0:03.68 atack
> 23479 apache    15   0   964  556  472 S  0.7  0.0   0:01.94 atack
> 22170 apache    15   0   964  560  472 S  0.3  0.0   0:05.23 atack
> 22375 apache    15   0   964  560  472 S  0.3  0.0   0:04.21 atack
> 22858 apache    15   0   964  560  472 S  0.3  0.0   0:02.87 atack
> 22997 apache    15   0   964  560  472 S  0.3  0.0   0:04.11 atack
> 22999 apache    15   0   964  560  472 S  0.3  0.0   0:02.22 atack
> 23007 apache    15   0   964  560  472 S  0.3  0.0   0:03.79 atack
> 23099 apache    15   0   964  556  472 S  0.3  0.0   0:02.18 atack
> 23101 apache    15   0   964  556  472 S  0.3  0.0   0:02.48 atack
> 23108 apache    15   0   964  556  472 S  0.3  0.0   0:03.59 atack
> 23109 apache    15   0   964  556  472 S  0.3  0.0   0:02.75 atack
> 23112 apache    15   0   972  504  412 S  0.3  0.0   0:04.70 atack
> 23115 apache    15   0   964  556  472 S  0.3  0.0   0:03.75 atack
> 23116 apache    15   0   964  556  472 S  0.3  0.0   0:02.80 atack
> 23121 apache    15   0   972  504  412 S  0.3  0.0   0:03.79 atack
> 23384 apache    15   0   964  556  472 S  0.3  0.0   0:01.63 atack
> 23389 apache    15   0   964  556  472 S  0.3  0.0   0:03.52 atack
> 23392 apache    15   0   964  556  472 S  0.3  0.0   0:01.61 atack
> 23397 apache    15   0   964  556  472 S  0.3  0.0   0:01.62 atack
> 23405 apache    15   0   964  556  472 S  0.3  0.0   0:03.64 atack
> 
> When i 'ps -ef' i can see many lines as below;
> 
> apache   24253 23378  0 10:54 ?        00:00:00 ./atack 100
> apache   24286 23378  0 10:59 ?        00:00:00 ./atack 100
> apache   24292 23378  0 11:00 ?        00:00:01 ./atack 100
> apache   24335 23378  0 11:01 ?        00:00:00 ./atack 100
> apache   24344 23378  0 11:01 ?        00:00:00 ./atack 100
> apache   24347 23378  0 11:02 ?        00:00:00 ./atack 100
> apache   24358 23378  0 11:04 ?        00:00:00 ./atack 100
> 
> 
> Hell, has my centos 5.3 box  been hacked??? Help  !!!!!!!!!!
> 
> 
>       
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos