Re: [CentOS] attack
On Thu, Dec 24, 2009 at 2:01 AM, Manu Verhaegen mav...@telenet.be wrote: I have use the following command grep 'ipadres' /var/www/vhosts/*/statistics/logs/access_log grep 'ipadres' /var/log/httpd/acces typo - ipadres should be ipaddress? And even with correct spelling, that is probably not what you want to search for. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] attack
I think they meant you should replace ipadres with the actual ip address of the attacker... ;-) -- Joost Waversveld - Bericht van tdbtdb+cen...@gmail.com - Datum: Fri, 25 Dec 2009 09:24:05 -1000 Van: Dave tdbtdb+cen...@gmail.com Antwoorden aan:CentOS mailing list centos@centos.org Onderwerp: Re: [CentOS] attack Aan: CentOS mailing list centos@centos.org On Thu, Dec 24, 2009 at 2:01 AM, Manu Verhaegen mav...@telenet.be wrote: I have use the following command grep 'ipadres' /var/www/vhosts/*/statistics/logs/access_log grep 'ipadres' /var/log/httpd/acces typo - ipadres should be ipaddress? And even with correct spelling, that is probably not what you want to search for. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos - Einde bericht van tdbtdb+cen...@gmail.com - ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] attack
Hi, My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script. Regards, maverh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] attack
From: Manu Verhaegen mav...@telenet.be My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script. Could you be more specific...? Anything in the log files? JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] attack
Anything from the accesslogs? 2009/12/24 Manu Verhaegen mav...@telenet.be Hi, My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script. Regards, maverh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] attack
On Thu, 2009-12-24 at 11:31 +, Manu Verhaegen wrote: Hi, My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script. Regards, maverh Hi Maverh, I know this may sound like a silly question but how do you know your server is under attack ? As others have advised, have you checked your logs on the server ? What are you running that's being attacked ? /var/log/httpd /var/log/messages Regards, Pete. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] attack
Triying find to what are users running on spacific command, you should using top or ps or netstat please read the manual how to use it. After all and you get some info unpluge your server from internet, see what log says. --Original Message-- From: Manu Verhaegen Sender: centos-boun...@centos.org To: centos@centos.org ReplyTo: CentOS mailing list Subject: [CentOS] attack Sent: Dec 24, 2009 6:31 PM Hi, My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script. Regards, maverh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Warm regards, David - ./nobody ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] attack
Hi, We have plesk running, i have running logwatch and i have found a IP adress. I have add it in the IP table to block it then the attack is solved. We see a lot of outgouing emails a php script is used for sending many emails possible stored in the database. I have use the following command grep 'ipadres' /var/www/vhosts/*/statistics/logs/access_log grep 'ipadres' /var/log/httpd/access.log it do not find any record. Regards, Manu Verhaegen -Oorspronkelijk bericht- Van: centos-boun...@centos.org [mailto:centos-boun...@centos.org] Namens Pete Verzonden: donderdag 24 december 2009 12:45 Aan: CentOS mailing list Onderwerp: Re: [CentOS] attack On Thu, 2009-12-24 at 11:31 +, Manu Verhaegen wrote: Hi, My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script. Regards, maverh Hi Maverh, I know this may sound like a silly question but how do you know your server is under attack ? As others have advised, have you checked your logs on the server ? What are you running that's being attacked ? /var/log/httpd /var/log/messages Regards, Pete. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] attack
at the moment everiting is solved i have block the IP adress but i d'ont have found the script - Oorspronkelijk bericht - Van : da...@pnyet.web.id [mailto:da...@pnyet.web.id] Verzonden : donderdag , december 24, 2009 01:07 PM Aan : 'CentOS mailing list' Onderwerp : Re: [CentOS] attack Triying find to what are users running on spacific command, you should using top or ps or netstat please read the manual how to use it. After all and you get some info unpluge your server from internet, see what log says. --Original Message-- From: Manu Verhaegen Sender: centos-boun...@centos.org To: centos@centos.org ReplyTo: CentOS mailing list Subject: [CentOS] attack Sent: Dec 24, 2009 6:31 PM Hi, My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script. Regards, maverh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Warm regards, David - ./nobody ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] attack
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Manu Verhaegen Sent: Thursday, December 24, 2009 7:04 AM To: CentOS mailing list Subject: Re: [CentOS] attack at the moment everiting is solved i have block the IP adress but i d'ont have found the script So you are the attacker. Happened to me a couple weeks ago. Check your tmp directory and subdirectory for std, udp.pl. Also check /etc/passwd and /etc/shadow for unusual users. Should be at the very bottom of those files. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] attack
Hello On 12/24/2009 12:01 PM, Manu Verhaegen wrote: We have plesk running, i have running logwatch and i have found a IP adress. I have add it in the IP table to block it then the attack is solved. We see a lot of outgouing emails a php script is used for sending many emails possible stored in the database. you also have a broken email client, what are the chances that you could: a) find an email client that preserves thread sanity b) refrain from topposting unless absolutely necessary -- Karanbir Singh London, UK| http://www.karan.org/ | twitter.com/kbsingh ICQ: 2522219 | Yahoo IM: z00dax | Gtalk: z00dax GnuPG Key : http://www.karan.org/publickey.asc ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] attack
Hi, i have Check my tmp directory and subdirectorys for std, udp.pl no file exist. Also i have check /etc/passwd and /etc/shadow for unusual users. regards -Oorspronkelijk bericht- Van: centos-boun...@centos.org [mailto:centos-boun...@centos.org] Namens Thomas Dukes Verzonden: donderdag 24 december 2009 13:08 Aan: 'CentOS mailing list' Onderwerp: Re: [CentOS] attack -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Manu Verhaegen Sent: Thursday, December 24, 2009 7:04 AM To: CentOS mailing list Subject: Re: [CentOS] attack at the moment everiting is solved i have block the IP adress but i d'ont have found the script So you are the attacker. Happened to me a couple weeks ago. Check your tmp directory and subdirectory for std, udp.pl. Also check /etc/passwd and /etc/shadow for unusual users. Should be at the very bottom of those files. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] attack
Hi, i have Check my tmp directory and subdirectorys for std, udp.pl no file exist. Also i have check /etc/passwd and /etc/shadow for unusual users. regards Manu, forgive me if i missed it when i deleted several of the posts in the thread yet how hard is it to check all the pertinent logfiles? unless this is a very sophisticated compromise that hides, moves, or deletes things, or the management system is trash, the info you need is typically in one or more of the various logfiles on the system something as simple man less less /var/log/httpd/access_log less /var/log/httpd/error_log replace appropriate logfile names as necessary... in general, there are many you can look at to gain some wisdom... - rh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] attack
Obviously, if you are running several vhosts and plesk you likely have other logs to check. Also, one can usually see the origin of the mail injection in the maillog (e.g. complaints about setting to an unsafe sender) or in the outgoing messages. At runtime you can see the connects with full URLs on the apache status page. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] attack
Hi, i ame checking this thanks, Manu -Oorspronkelijk bericht- Van: centos-boun...@centos.org [mailto:centos-boun...@centos.org] Namens Kai Schaetzl Verzonden: donderdag 24 december 2009 15:32 Aan: centos@centos.org Onderwerp: Re: [CentOS] attack Obviously, if you are running several vhosts and plesk you likely have other logs to check. Also, one can usually see the origin of the mail injection in the maillog (e.g. complaints about setting to an unsafe sender) or in the outgoing messages. At runtime you can see the connects with full URLs on the apache status page. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] attack
http://www.atomicorp.com/wiki/index.php/Atomic_Secured_Linux Wraps a lot of good stuff together for a plesk web server on CentOS. Won't help much if you are already compromised, but it would be a good addition. -Andy On Thu, 2009-12-24 at 12:01 +, Manu Verhaegen wrote: Hi, We have plesk running, i have running logwatch and i have found a IP adress. I have add it in the IP table to block it then the attack is solved. We see a lot of outgouing emails a php script is used for sending many emails possible stored in the database. I have use the following command grep 'ipadres' /var/www/vhosts/*/statistics/logs/access_log grep 'ipadres' /var/log/httpd/access.log it do not find any record. Regards, Manu Verhaegen -Oorspronkelijk bericht- Van: centos-boun...@centos.org [mailto:centos-boun...@centos.org] Namens Pete Verzonden: donderdag 24 december 2009 12:45 Aan: CentOS mailing list Onderwerp: Re: [CentOS] attack On Thu, 2009-12-24 at 11:31 +, Manu Verhaegen wrote: Hi, My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script. Regards, maverh Hi Maverh, I know this may sound like a silly question but how do you know your server is under attack ? As others have advised, have you checked your logs on the server ? What are you running that's being attacked ? /var/log/httpd /var/log/messages Regards, Pete. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] attack
Hi, I'm have a repo with many security tools.. if you can test... i'm upload a few packages from fedora, other sources, and created by me.. http://flexbox.sourceforge.net/centos/5/i386/flexbox-release-1-1.noarch.rpm Try to install sectool, and verify your system.. You can try to use fail2ban for list maillog, and blacklists ips... I'm using fail2ban+shorewall+ipset Fernando. On Thu, 24 Dec 2009 14:48:30 + Manu Verhaegen mav...@telenet.be wrote: Hi, i ame checking this thanks, Manu -Oorspronkelijk bericht- Van: centos-boun...@centos.org [mailto:centos-boun...@centos.org] Namens Kai Schaetzl Verzonden: donderdag 24 december 2009 15:32 Aan: centos@centos.org Onderwerp: Re: [CentOS] attack Obviously, if you are running several vhosts and plesk you likely have other logs to check. Also, one can usually see the origin of the mail injection in the maillog (e.g. complaints about setting to an unsafe sender) or in the outgoing messages. At runtime you can see the connects with full URLs on the apache status page. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Fernando Hallberg ferna...@flexdigital.com.br Flex Digital Soluções em Redes de Dados http://www.flexdigital.com.br ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
