[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Wed Jun 3 05:11:33 UTC 2009
bruce <bedouglas at earthlink.net>

neil...

the ps he showed, showed the 'atack' processes being run by the apache
user...

i'm incined to agree that he should take the machine offline, but i don't
know what the 'atack' processes are, and unless his system is really f*ed
up.. i'm inclined to think the processs is something on his server...

now, how it got there is a curious issue that he's going to have to
address..

but this is why i specifically asked the kinds of web apps he's running on
his server...



-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org]On
Behalf Of Neil Aggarwal
Sent: Tuesday, June 02, 2009 10:03 PM
To: 'CentOS mailing list'
Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....


Bruce:

I think you are misunderstanding something.
He showed a process listing of processes running
on his server.  Those were not apache processes
being attacked from the outside.  They were rogue
processes running on his machine.

	Neil

--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.

> -----Original Message-----
> From: centos-bounces at centos.org
> [mailto:centos-bounces at centos.org] On Behalf Of bruce
> Sent: Tuesday, June 02, 2009 11:49 PM
> Cc: 'CentOS mailing list'
> Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ?
> Oh hell....
>
> nope...
>
> not kidding... the majority of windows based attacks on an
> apache system
> running on linux systems are obnoxiousm but not harmful...
> the kinds of
> attacks that are looking to exploit windows buffer overflows
> are harmless to
> linux systems..
>
> this isn't to say that all windows attacks are harmless, but
> this has been
> my experience, as well as what i've seen in the lit.
>
> if you have other information regarding windows attaks on
> webservers, that
> also impact linux boxes, please share the relevant websites,
> describing the
> attack vectors.. i'd be interested in checking out the
> articles as would
> others...
>
> but go ahead and reply to me online, as others might be
> interested in this
> thread as well...
>
>
> -----Original Message-----
> From: John R. Dennison [mailto:jrd at gerdesas.com]
> Sent: Tuesday, June 02, 2009 9:41 PM
> To: bruce
> Cc: 'CentOS mailing list'
> Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ?
> Oh hell....
>
>
> On Tue, Jun 02, 2009 at 09:34:55PM -0700, bruce wrote:
> > it's possible your box is attacked, has been compromised.. of it's
> possible
> > that it's also being slammed by some sort of potential attack/hack.
> > regarding the apache app, what do the log files say... what
> apps do you
> have
> > running on the apche server? are these apps home grown, or
> installed from
> > some public source?
>
> 	He has multiple occurances of a process named "atack", each
> 	running with an argument of 100.  Looks like a DoS to me.
>
> > do the research online to see what kind of attack you might have...
>
> 	It's irrelevant except as a learning exercise in forensics.
>
> > it might be that your box is completely safe...
>
> 	You're kidding, right?
>
> > you might also track/monitor any kind of attempt at the box
> communicating
> > with other ip addresses that you aren't using....
>
> 	The longer that box stays on the net the more potential damage
> 	it can (and most likely *will* do).
>
> > doing a complete reinstall is a draconian measure and may
> not be called
> > for...
>
> 	You're kidding, right?
>
>
>
>
>
> 							John
>
> --
> "I'm sorry but our engineers do not have phones."
> As stated by a Network Solutions Customer Service
> representative when asked
> to
> be put through to an engineer.
>
> "My other computer is your windows box."
>                                      Ralf Hildebrandt
> <sxem> trying to play sturgeon while it's under attack is
> apparently not
> fun.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos