[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Sat Jun 13 07:02:10 UTC 2009
Linux Advocate <linuxhousedn at yahoo.com>

Matt, great idea.... I FOUND SOMETHING... pls see below...

________________________________
>From: Matt <lm7812 at gmail.com>
>To: CentOS mailing list <centos at centos.org>
>Sent: Thursday, June 4, 2009 4:40:57 AM
>Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

>PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>23119 apache    15   0   964  556  472 S  0.7  0.0   0:03.68 atack

>When i 'ps -ef' i can see many lines as below;

>apache   24253 23378  0 10:54 ?        00:00:00 ./atack 100
>apache   24286 23378  0 10:59 ?        00:00:00 ./atack 100

 
>I good tool to have on your linux box that may help, some. 
>http://rkhunter.sourceforge.net/ 
>http://rpmfind.net/linux/rpm2html/search.php?query=rkhunter 
>After installing do.
 >rkhunter --update
>rkhunter -c
 >And see if it finds anything.


I DID FIND SOMETHING...NOT SURE WHAT THOUGH ;)

* Filesystem checks
   Checking /dev for suspicious files...                      [ OK ]
   Scanning for hidden files...                               [ Warning! ]
---------------
/etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev
---------------
Please inspect:  /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression)  /dev/.udev (directory)

The contents of the /dev/.udev folder;

drwxr-xr-x  2 root root  540 Jun  8 15:41 db
drwxr-xr-x  2 root root  740 Jun  8 15:41 failed
-rw-r--r--  1 root root    4 Jun  8 15:42 uevent_seqnum


The contents of the ../man1/ folder ;

[root at fwg man1]# ls -al  :.1.gz
-rw-r--r-- 1 root root 40 Jan 22 09:14 :.1.gz

[root at fwgw man1]# ls -al  [.1.gz
-rw-r--r-- 1 root root 40 Jan 22 09:14 [.1.gz


Anything out of the ordinary?


---------------------------- Scan results ----------------------------

MD5 scan
Skipped  <---  WHY SKIPPED ? bcos OS unknown as shown in the NOTE below?

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 0

Scanning took 32 seconds

....................... end .........................................


NOTE: When we run rkhunter,  rkhunter says the lines below...eventhough i  installed frm the centos repo? but still it says its an unknown OS

Rootkit Hunter 1.2.9 is running
Determining OS... Unknown
Warning: This operating system is not fully supported!
All MD5 checks will be skipped!

Anything out of the ordinary?