you and i agreee on him figuring out what web apps are causing the issues.. or in fact, exactly what the 'atack' process is? i didn't see the initial threads.. was this simething that he discussed? did he say what the arack process was doing? my only point, was that reinstalling wotjout understanding what was/is going on is a draconian step.. does it resolve the issue.. sire.. does it get to what might have been the cause.. not in my opinion... but hey.. there are different ways of approaching a problem... -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org]On Behalf Of John R. Dennison Sent: Tuesday, June 02, 2009 10:10 PM To: CentOS mailing list Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell.... On Tue, Jun 02, 2009 at 09:48:41PM -0700, bruce wrote: > > not kidding... the majority of windows based attacks on an apache system > running on linux systems are obnoxiousm but not harmful... the kinds of > attacks that are looking to exploit windows buffer overflows are harmless to > linux systems.. > > this isn't to say that all windows attacks are harmless, but this has been > my experience, as well as what i've seen in the lit. > > if you have other information regarding windows attaks on webservers, that > also impact linux boxes, please share the relevant websites, describing the > attack vectors.. i'd be interested in checking out the articles as would > others... Not to be rude but what you are rambling on about? He's running an apache instance on cent5. He has processes he can not readily identify running under apache named "atack"; where does "windows" come into the equation? What the processes are specifically doing is secondary to the problem at hand, which is that the processes exist in the first place. Please, enlighten me as to how you can think that his box has not been compromised. Please, enlighten me as to how he (or you) can gauge the extent of the compromise (assuming no HIDS in use on the server). I stand by my previous advice - the box is compromised, can not be trusted, and as a responsible admin he should be working on re-installing it, evaluating what web-apps he had running that led to this in the first place and taking the appropriate steps to ensure it does not happen again. John -- "I'm sorry but our engineers do not have phones." As stated by a Network Solutions Customer Service representative when asked to be put through to an engineer. "My other computer is your windows box." Ralf Hildebrandt <sxem> trying to play sturgeon while it's under attack is apparently not fun.