[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Sun Jun 7 03:32:21 UTC 2009
DAVID M <dmilholen at wletc.com>

I usually watch and listen to this mailing list but this one really 
caught my eye.. I used to do alot of this in the military for 20yrs on 
nix boxes. Now I am a net engineer for a mid sized wisp.
 I have seen how brutal attacks take place on nix boxes. When I config a 
nix box the first thing I do is set the firewall up to block all ports 
above 1048 and only let in or out what ports are needed for the machine. 
My favorite ports to block are ftp,ssh and telnet. I will configure 
different ports for those apps if they are needed. I even block these 
common ports on our gateway to the network and only allow certain 
accounts inside the net access because they do not know how to change 
their ports to something uncommon.
 Most root kits are hard scripted for the common ports, unless the 
attacker is smart enough to use a port scanner try and find alternate 
ports but I can also block most scanners by dropping certain connection 
types.
 I have had a machine online for about 16yrs uptime with no attacks. 
They try but they die:)
If it was easy enough for a root kit to get access to your machine then 
there are some definite holes in the system.

Matt wrote:
>
>
>
>     PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>     23119 apache    15   0   964  556  472 S  0.7  0.0   0:03.68 atack
>     23479 apache    15   0   964  556  472 S  0.7  0.0   0:01.94 atack
>     22170 apache    15   0   964  560  472 S  0.3  0.0   0:05.23 atack
>     22375 apache    15   0   964  560  472 S  0.3  0.0   0:04.21 atack
>     22858 apache    15   0   964  560  472 S  0.3  0.0   0:02.87 atack
>     22997 apache    15   0   964  560  472 S  0.3  0.0   0:04.11 atack
>     22999 apache    15   0   964  560  472 S  0.3  0.0   0:02.22 atack
>     23007 apache    15   0   964  560  472 S  0.3  0.0   0:03.79 atack
>     23099 apache    15   0   964  556  472 S  0.3  0.0   0:02.18 atack
>     23101 apache    15   0   964  556  472 S  0.3  0.0   0:02.48 atack
>     23108 apache    15   0   964  556  472 S  0.3  0.0   0:03.59 atack
>     23109 apache    15   0   964  556  472 S  0.3  0.0   0:02.75 atack
>     23112 apache    15   0   972  504  412 S  0.3  0.0   0:04.70 atack
>     23115 apache    15   0   964  556  472 S  0.3  0.0   0:03.75 atack
>     23116 apache    15   0   964  556  472 S  0.3  0.0   0:02.80 atack
>     23121 apache    15   0   972  504  412 S  0.3  0.0   0:03.79 atack
>     23384 apache    15   0   964  556  472 S  0.3  0.0   0:01.63 atack
>     23389 apache    15   0   964  556  472 S  0.3  0.0   0:03.52 atack
>     23392 apache    15   0   964  556  472 S  0.3  0.0   0:01.61 atack
>     23397 apache    15   0   964  556  472 S  0.3  0.0   0:01.62 atack
>     23405 apache    15   0   964  556  472 S  0.3  0.0   0:03.64 atack
>
>     When i 'ps -ef' i can see many lines as below;
>
>     apache   24253 23378  0 10:54 ?        00:00:00 ./atack 100
>     apache   24286 23378  0 10:59 ?        00:00:00 ./atack 100
>     apache   24292 23378  0 11:00 ?        00:00:01 ./atack 100
>     apache   24335 23378  0 11:01 ?        00:00:00 ./atack 100
>     apache   24344 23378  0 11:01 ?        00:00:00 ./atack 100
>     apache   24347 23378  0 11:02 ?        00:00:00 ./atack 100
>     apache   24358 23378  0 11:04 ?        00:00:00 ./atack 100
>
>
>     Hell, has my centos 5.3 box  been hacked??? Help  !!!!!!!!!!
>
>  
> I good tool to have on your linux box that may help, some.
>  
> http://rkhunter.sourceforge.net/
>  
> http://rpmfind.net/linux/rpm2html/search.php?query=rkhunter
>  
> After installing do.
>  
> rkhunter --update
>
> rkhunter -c
>  
> And see if it finds anything.
> ------------------------------------------------------------------------
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>