[CentOS] (c 5.6) Running 2 versions of Apache ?

Always Learning centos at u61.u22.net
Mon Aug 29 20:14:15 UTC 2011


On Mon, 2011-08-29 at 14:49 -0500, Les Mikesell wrote:

> Ummm, 30,000 isn't a particularly big number of hits to an apache
> server, especially if all it has to do is respond with a 'file not
> found'.  But you are probably wise to be defensive.

If it was the usually 50 to 100 phpmyadmin attempts from a single IP
address, that single IP address can be blocked in IPtables.

The current lunatic could continue his attacks for several months. That
probably means several hundred IPs, perhaps thousands, blocked for that
one small web site. By splitting the targeted web site from the others,
everything I do in IPtables should have little adverse effect on the
server's other activities which use different IP addresses. I am trying
to isolate the problem and then experiment to devise a re-usable
solution for future persistent attacks, if any.

> That probably means the intrusion is self-propagating.  That is, if
> the target is running some vulnerable php version or application, it
> is able to install a copy of itself and start over.

In this particular incident, I am reasonable certain the loony is using
tools to find vulnerable IPs and then manually feeding the address into
his scrip.

> As long as you aren't vulnerable yourself, I don't see the point of
> wasting human hours to save machine microseconds.  And this is a tiny
> bit of the viruses and automated intrusion attempts happening in the
> wild so unless you can generalize it into a fail2ban type of process
> your time would be better spent making sure your systems are up to
> date and inherently secure.

I spent several hours today examining firewalls, questioning the set-up
and tightening-up.

> If that is the first instance you've seen, you must have a low-profile
> site.

First instance that has continued for more than 24 hours; and first with
30,000+ hits. Never ever advertise but top in Google's listing for a few
distinct items and in the top 5 for a few other items.

>   And no, web applications have their own bugs and
> vulnerabilities on Linux too.  And if you aren't fairly close to
> up-to-date on the base distribution, those exploits can get root
> access. 

Always keen to update to the latest releases. I've seen too many Windoze
machines run by others hacked and infected. 

>  The last one I bothered tracking down used a java/spring
> vulnerability to run something to trigger a local root exploit in
> glibc (that I think was fixed in the 5.4 or 5.5 update) but there are
> probably newer ones - and more we don't know about.

Our browsers never run Flash or Java - the potential risk is perceived
as too great.


Paul.





More information about the CentOS mailing list