[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Wed Jun 3 04:34:55 UTC 2009
bruce <bedouglas at earthlink.net>

it's possible your box is attacked, has been compromised.. of it's possible
that it's also being slammed by some sort of potential attack/hack.
regarding the apache app, what do the log files say... what apps do you have
running on the apche server? are these apps home grown, or installed from
some public source?

do the research online to see what kind of attack you might have...

it might be that your box is completely safe...

you might also track/monitor any kind of attempt at the box communicating
with other ip addresses that you aren't using....

doing a complete reinstall is a draconian measure and may not be called
for...

your mileage might vary...


-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org]On
Behalf Of Linux Advocate
Sent: Tuesday, June 02, 2009 8:23 PM
To: CentOS mailing list
Subject: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....



Guys, apache cpus usage is hitting 100% sometimes ( to such an extent that
its very noticeable)  on a box with just 8 users or so.

i m getting this when i run 'top'. The worrying thing is seeing the work
'atack' under command


PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
23119 apache    15   0   964  556  472 S  0.7  0.0   0:03.68 atack
23479 apache    15   0   964  556  472 S  0.7  0.0   0:01.94 atack
22170 apache    15   0   964  560  472 S  0.3  0.0   0:05.23 atack
22375 apache    15   0   964  560  472 S  0.3  0.0   0:04.21 atack
22858 apache    15   0   964  560  472 S  0.3  0.0   0:02.87 atack
22997 apache    15   0   964  560  472 S  0.3  0.0   0:04.11 atack
22999 apache    15   0   964  560  472 S  0.3  0.0   0:02.22 atack
23007 apache    15   0   964  560  472 S  0.3  0.0   0:03.79 atack
23099 apache    15   0   964  556  472 S  0.3  0.0   0:02.18 atack
23101 apache    15   0   964  556  472 S  0.3  0.0   0:02.48 atack
23108 apache    15   0   964  556  472 S  0.3  0.0   0:03.59 atack
23109 apache    15   0   964  556  472 S  0.3  0.0   0:02.75 atack
23112 apache    15   0   972  504  412 S  0.3  0.0   0:04.70 atack
23115 apache    15   0   964  556  472 S  0.3  0.0   0:03.75 atack
23116 apache    15   0   964  556  472 S  0.3  0.0   0:02.80 atack
23121 apache    15   0   972  504  412 S  0.3  0.0   0:03.79 atack
23384 apache    15   0   964  556  472 S  0.3  0.0   0:01.63 atack
23389 apache    15   0   964  556  472 S  0.3  0.0   0:03.52 atack
23392 apache    15   0   964  556  472 S  0.3  0.0   0:01.61 atack
23397 apache    15   0   964  556  472 S  0.3  0.0   0:01.62 atack
23405 apache    15   0   964  556  472 S  0.3  0.0   0:03.64 atack

When i 'ps -ef' i can see many lines as below;

apache   24253 23378  0 10:54 ?        00:00:00 ./atack 100
apache   24286 23378  0 10:59 ?        00:00:00 ./atack 100
apache   24292 23378  0 11:00 ?        00:00:01 ./atack 100
apache   24335 23378  0 11:01 ?        00:00:00 ./atack 100
apache   24344 23378  0 11:01 ?        00:00:00 ./atack 100
apache   24347 23378  0 11:02 ?        00:00:00 ./atack 100
apache   24358 23378  0 11:04 ?        00:00:00 ./atack 100


Hell, has my centos 5.3 box  been hacked??? Help  !!!!!!!!!!



_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos