On Wed, 2009-06-03 at 06:29 -0700, Linux Advocate wrote:
> <snip>
> i tried googling for 'centos apache atack" but did not get anything substantial.
> i tried locating a binary file called ' atack' but got nothing.
Just an FYI to all those who may not know:
$ cat test.c
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
main(int argc, char *argv[])
{
sleep(15);
strcpy(argv[0],"test.c");
sleep(15);
exit(0);
}
$ cc test.c
[wild-bill at centos501 ~]$ ./a.out&
[2] 7359
[wild-bill at centos501 ~]$ ps -ef|tail -4
500 7323 4104 0 10:52 ? 00:00:00 spamd child
500 7359 4025 0 10:54 pts/0 00:00:00 ./a.out
500 7360 4025 0 10:54 pts/0 00:00:00 ps -ef
500 7361 4025 0 10:54 pts/0 00:00:00 tail -4
[wild-bill at centos501 ~]$ sleep 15;ps -ef|tail -4
500 7323 4104 0 10:52 ? 00:00:00 spamd child
500 7359 4025 0 10:54 pts/0 00:00:00 test.c
500 7363 4025 0 10:54 pts/0 00:00:00 ps -ef
500 7364 4025 0 10:54 pts/0 00:00:00 tail -4
I haven't checked in a long time, but maybe there's some stuff in
process group headers that might give a clue to follow? Been a *long*
time since I dinked with that stuff, so I'm not sure.
One thing to check for is anything with an suid bit set that is owner
apache (again a long time, but I think that will do it) that you suspect
is "wrong". Sometime clues reside in timestamps on the executables.
Might need to do your snooping in single-user mode off a recovery CD
since well-crafted attacks hide themselves and overlay commands that
might be used to detect them.
Barring all else, an rpm -qa --last will show installs by date and a
--verify might yield some clues. You can "find" with various time checks
(-newer or -mtime?) to see all files and directories that have been
changed since the last rpm activity prior to the detection of the
problem. However, these can also be modifed to reduce the chance of
detection.
<snip>
HTH
--
Bill