htebruce wrote: > it's possible your box is attacked, has been compromised.. of it's possible > that it's also being slammed by some sort of potential attack/hack. > regarding the apache app, what do the log files say... what apps do you have > running on the apche server? are these apps home grown, or installed from > some public source? > > do the research online to see what kind of attack you might have... > > it might be that your box is completely safe... > > you might also track/monitor any kind of attempt at the box communicating > with other ip addresses that you aren't using.... > > doing a complete reinstall is a draconian measure and may not be called > for... > > your mileage might vary... > > > -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org]On > Behalf Of Linux Advocate > Sent: Tuesday, June 02, 2009 8:23 PM > To: CentOS mailing list > Subject: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell.... > > > > Guys, apache cpus usage is hitting 100% sometimes ( to such an extent that > its very noticeable) on a box with just 8 users or so. > > i m getting this when i run 'top'. The worrying thing is seeing the work > 'atack' under command > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 23119 apache 15 0 964 556 472 S 0.7 0.0 0:03.68 atack > 23479 apache 15 0 964 556 472 S 0.7 0.0 0:01.94 atack > 22170 apache 15 0 964 560 472 S 0.3 0.0 0:05.23 atack If you haven't, please take the damn box off-line *now* in the interest of good netizenship. Do whatever forensics seem prudent, off-line. At this point, nobody knows what is happening and this box needs to be offline until it is thoroughly secured. The minimum forensics you need to do (or have done for you if you need help) is to determine where the attack came from and how it succeeded so you won't get caught with your knickers around your ankles again. As soon as the attack vector is known, close it down on your other servers as quickly as you can. Conventional wisdom is to cold load the compromised server before returning it to service, because the bad guys often leave multiple back doors. Fixing the attack point is not enough. Regards, Ray