on 6-2-2009 10:18 PM bruce spake the following: > you and i agreee on him figuring out what web apps are causing the issues.. > or in fact, exactly what the 'atack' process is? i didn't see the initial > threads.. was this simething that he discussed? did he say what the atack > process was doing? Who cares what it was doing? He stated he didn't know what it was. It could be sending spam or making tea, it doesn't matter. It is running without his knowledge. > > my only point, was that reinstalling without understanding what was/is going > on is a draconian step.. does it resolve the issue.. sire.. does it get to > what might have been the cause.. not in my opinion... Attack forensics is an art. There are people that make large sums of money doing this because it is difficult. Does he have the time/resources to see what happened, or does he just need to get his site up and working in the least amount of time? > > but hey.. there are different ways of approaching a problem... > Either way you want to look at it, the box needs to at a minimum get off the net. If the system only has remote access, it needs to be booted from some sort of rescue system to isolate the base from the running system. If he has local access, then all the work can be done from a local console. Back up anything you want, but don't just restore everything to the rebuilt system, but check everything. Then you can analyze, backup, wipe, pray, piss and moan, drink, or whatever strikes your fancy. Just get the system off the internet until it is not a (possible) threat anymore. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20090603/f3fa7779/attachment-0005.sig>