[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Wed Jun 3 05:02:29 UTC 2009
Raymond Lillard <rlillard at sonic.net>

htebruce wrote:
> it's possible your box is attacked, has been compromised.. of it's possible
> that it's also being slammed by some sort of potential attack/hack.
> regarding the apache app, what do the log files say... what apps do you have
> running on the apche server? are these apps home grown, or installed from
> some public source?
> 
> do the research online to see what kind of attack you might have...
> 
> it might be that your box is completely safe...
> 
> you might also track/monitor any kind of attempt at the box communicating
> with other ip addresses that you aren't using....
> 
> doing a complete reinstall is a draconian measure and may not be called
> for...
> 
> your mileage might vary...
> 
> 
> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org]On
> Behalf Of Linux Advocate
> Sent: Tuesday, June 02, 2009 8:23 PM
> To: CentOS mailing list
> Subject: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
> 
> 
> 
> Guys, apache cpus usage is hitting 100% sometimes ( to such an extent that
> its very noticeable)  on a box with just 8 users or so.
> 
> i m getting this when i run 'top'. The worrying thing is seeing the work
> 'atack' under command
> 
> 
> PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
> 23119 apache    15   0   964  556  472 S  0.7  0.0   0:03.68 atack
> 23479 apache    15   0   964  556  472 S  0.7  0.0   0:01.94 atack
> 22170 apache    15   0   964  560  472 S  0.3  0.0   0:05.23 atack

If you haven't, please take the damn box off-line *now* in the
interest of good netizenship.  Do whatever forensics seem prudent,
off-line.  At this point, nobody knows what is happening and this
box needs to be offline until it is thoroughly secured.

The minimum forensics you need to do (or have done for you if
you need help) is to determine where the attack came from and
how it succeeded so you won't get caught with your knickers
around your ankles again.

As soon as the attack vector is known, close it down on your
other servers as quickly as you can.

Conventional wisdom is to cold load the compromised server
before returning it to service, because the bad guys often
leave multiple back doors.  Fixing the attack point is not
enough.

Regards,
Ray