[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Wed Jun 3 17:57:03 UTC 2009
Scott Silva <ssilva at sgvwater.com>

on 6-2-2009 10:18 PM bruce spake the following:
> you and i agreee on him figuring out what web apps are causing the issues..
> or in fact, exactly what the 'atack' process is?  i didn't see the initial
> threads.. was this simething that he discussed? did he say what the atack
> process was doing?
Who cares what it was doing? He stated he didn't know what it was. It could be
sending spam or making tea, it doesn't matter. It is running without his
knowledge.
> 
> my only point, was that reinstalling without understanding what was/is going
> on is a draconian step.. does it resolve the issue.. sire.. does it get to
> what might have been the cause.. not in my opinion...

Attack forensics is an art. There are people that make large sums of money
doing this because it is difficult. Does he have the time/resources to see
what happened, or does he just need to get his site up and working in the
least amount of time?

> 
> but hey.. there are different ways of approaching a problem...
> 

Either way you want to look at it, the box needs to at a minimum get off the
net. If the system only has remote access, it needs to be booted from some
sort of rescue system to isolate the base from the running system. If he has
local access, then all the work can be done from a local console. Back up
anything you want, but don't just restore everything to the rebuilt system,
but check everything.  Then you can analyze, backup, wipe, pray, piss and
moan, drink, or whatever strikes your fancy. Just get the system off the
internet until it is not a (possible) threat anymore.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20090603/f3fa7779/attachment-0005.sig>