[CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

Sun Jun 14 06:16:21 UTC 2009
Linux Advocate <linuxhousedn at yahoo.com>

john, replies below...


> Linux Advocate wrote:
> > DID THIS GUY ACTUALLY SAVE A FILE ON MY HARD DISK??? 
> > AAAAAAHHHHHHHHHHHHHHHHHHHH???????????????
> >
> > Was this why rkhunter popped out with this warning?
> >
> > * Filesystem checks
> >    Checking /dev for suspicious files...                      [ OK ]
> >    Scanning for hidden files...                               [ Warning! ]
> > ---------------
> > /etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev
> > ---------------
> > Please inspect:  /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, 
> max compression)  /dev/.udev (directory)
> >
> > Should i delete these files? are the man files nromally .gz or .bz2 ?
> >
> > There is also a similar entry, where another file called unix2.tgz was 
> downloaded....
> >
> > But i cant find these files on the HDisk?
> > guys i am out of my league here. All assistance is deeply appreciated.
> >  
> 
> I *hope* this machine is disconnected from the internet and running a 
> liveCD to investigate this

yes. but i havent formatted it yet bcos i need to understand what happened... i still cant believe a centos box that was regularly updated , patched was hacked
 
> yes, it appears you've been hacked, and have stealth files (any file 
> with . in front oft he name is hidden and would only show with ls -a and 
> if you  *are* rootkitted, there's a strong possibility your ls and other 
> command tools have been replaced..

i dont think the attacker got root ownership or else the log files would have been altered or deleted.

> and, it appears it came in via an exploit in that horde framework (I 
> know nothing about horde)
> 

hopefully more members on the list will weigh in on this.