[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Wed Jun 3 19:20:24 UTC 2009
bruce <bedouglas at earthlink.net>

and if you don't figure out what caused the issue... 

there's not a dammed reason to think you wouldn't do the same thing and get in the same dam situation when you reinstall...

i'm not quibbling with removing the box from the net... i've simply stated that just going straight to reinstall doesn't resolve the potential reoccurance of the issue..

in his case though, it now appears that he's got a great deal more information regarding the hack, and that he can proceed to figure out what happened.. or he might just reinstall!

peace


-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org]On
Behalf Of Scott Silva
Sent: Wednesday, June 03, 2009 10:57 AM 
To: centos at centos.org
Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....


on 6-2-2009 10:18 PM bruce spake the following:
> you and i agreee on him figuring out what web apps are causing the issues..
> or in fact, exactly what the 'atack' process is?  i didn't see the initial
> threads.. was this simething that he discussed? did he say what the atack
> process was doing?
Who cares what it was doing? He stated he didn't know what it was. It could be
sending spam or making tea, it doesn't matter. It is running without his
knowledge.
> 
> my only point, was that reinstalling without understanding what was/is going
> on is a draconian step.. does it resolve the issue.. sire.. does it get to
> what might have been the cause.. not in my opinion...

Attack forensics is an art. There are people that make large sums of money
doing this because it is difficult. Does he have the time/resources to see
what happened, or does he just need to get his site up and working in the
least amount of time?

> 
> but hey.. there are different ways of approaching a problem...
> 

Either way you want to look at it, the box needs to at a minimum get off the
net. If the system only has remote access, it needs to be booted from some
sort of rescue system to isolate the base from the running system. If he has
local access, then all the work can be done from a local console. Back up
anything you want, but don't just restore everything to the rebuilt system,
but check everything.  Then you can analyze, backup, wipe, pray, piss and
moan, drink, or whatever strikes your fancy. Just get the system off the
internet until it is not a (possible) threat anymore.