neil... the ps he showed, showed the 'atack' processes being run by the apache user... i'm incined to agree that he should take the machine offline, but i don't know what the 'atack' processes are, and unless his system is really f*ed up.. i'm inclined to think the processs is something on his server... now, how it got there is a curious issue that he's going to have to address.. but this is why i specifically asked the kinds of web apps he's running on his server... -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org]On Behalf Of Neil Aggarwal Sent: Tuesday, June 02, 2009 10:03 PM To: 'CentOS mailing list' Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell.... Bruce: I think you are misunderstanding something. He showed a process listing of processes running on his server. Those were not apache processes being attacked from the outside. They were rogue processes running on his machine. Neil -- Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com Eliminate junk email and reclaim your inbox. Visit http://www.spammilter.com for details. > -----Original Message----- > From: centos-bounces at centos.org > [mailto:centos-bounces at centos.org] On Behalf Of bruce > Sent: Tuesday, June 02, 2009 11:49 PM > Cc: 'CentOS mailing list' > Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? > Oh hell.... > > nope... > > not kidding... the majority of windows based attacks on an > apache system > running on linux systems are obnoxiousm but not harmful... > the kinds of > attacks that are looking to exploit windows buffer overflows > are harmless to > linux systems.. > > this isn't to say that all windows attacks are harmless, but > this has been > my experience, as well as what i've seen in the lit. > > if you have other information regarding windows attaks on > webservers, that > also impact linux boxes, please share the relevant websites, > describing the > attack vectors.. i'd be interested in checking out the > articles as would > others... > > but go ahead and reply to me online, as others might be > interested in this > thread as well... > > > -----Original Message----- > From: John R. Dennison [mailto:jrd at gerdesas.com] > Sent: Tuesday, June 02, 2009 9:41 PM > To: bruce > Cc: 'CentOS mailing list' > Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? > Oh hell.... > > > On Tue, Jun 02, 2009 at 09:34:55PM -0700, bruce wrote: > > it's possible your box is attacked, has been compromised.. of it's > possible > > that it's also being slammed by some sort of potential attack/hack. > > regarding the apache app, what do the log files say... what > apps do you > have > > running on the apche server? are these apps home grown, or > installed from > > some public source? > > He has multiple occurances of a process named "atack", each > running with an argument of 100. Looks like a DoS to me. > > > do the research online to see what kind of attack you might have... > > It's irrelevant except as a learning exercise in forensics. > > > it might be that your box is completely safe... > > You're kidding, right? > > > you might also track/monitor any kind of attempt at the box > communicating > > with other ip addresses that you aren't using.... > > The longer that box stays on the net the more potential damage > it can (and most likely *will* do). > > > doing a complete reinstall is a draconian measure and may > not be called > > for... > > You're kidding, right? > > > > > > John > > -- > "I'm sorry but our engineers do not have phones." > As stated by a Network Solutions Customer Service > representative when asked > to > be put through to an engineer. > > "My other computer is your windows box." > Ralf Hildebrandt > <sxem> trying to play sturgeon while it's under attack is > apparently not > fun. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos