thanx guys. Lets close this thread. bye.
- Original Message
From: Scott Silva ssi...@sgvwater.com
To: centos@centos.org
Sent: Thursday, June 18, 2009 2:36:27 AM
Subject: Re: [CentOS] Centos 5.3 - Apache - Under Attack ? Oh hell
on 6-16-2009 10:26 PM Linux Advocate spake
on 6-16-2009 10:26 PM Linux Advocate spake the following:
cmdshell.php)
? The horde framework was installed from the centos repo.!!!
I don't think the horde set on CentOS is very current. I just used the
tarball
from the horde website, and I keep it current.
ok. its just that
cmdshell.php)
? The horde framework was installed from the centos repo.!!!
I don't think the horde set on CentOS is very current. I just used the tarball
from the horde website, and I keep it current.
ok. its just that with centos being a redhat clone and so on. all the rpms they
Linux Advocate wrote:
cmdshell.php)
? The horde framework was installed from the centos repo.!!!
I don't think the horde set on CentOS is very current. I just used the
tarball
from the horde website, and I keep it current.
ok. its just that with centos being a redhat clone and
snip
B .Can i conclude that the attacker came through the horde framework (
cmdshell.php)
? The horde framework was installed from the centos repo.!!!
I don't think the horde set on CentOS is very current. I just used the tarball
from the horde website, and I keep it current.
Linux Advocate wrote:
DID THIS GUY ACTUALLY SAVE A FILE ON MY HARD DISK???
AA???
Was this why rkhunter popped out with this warning?
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files...
Linux Advocate wrote:
---
/etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev
---
Please inspect: /usr/share/man/man1/..1.gz (gzip compressed data, from
Unix,
max compression) /dev/.udev (directory)
actually, I just checked on another system,
On 6/14/09, Linux Advocate linuxhous...@yahoo.com wrote:
snip
yes. but i havent formatted it yet bcos i need to understand what
happened... i still cant believe a centos box that was regularly updated ,
patched was hacked
In addition to the regular updates you make to the box, there are
things
B .Can i conclude that the attacker came through the horde framework (
cmdshell.php) ? The horde framework was installed from the centos
repo.!!!
C. BUT THE WORST THING OF ALL IS THESE LINES BELOW
snip
14:47:47 (35,1 KB/s) - `unix.tgz' saved [1614224/1614224]
To answer B C,
Matt, great idea I FOUND SOMETHING... pls see below...
From: Matt lm7...@gmail.com
To: CentOS mailing list centos@centos.org
Sent: Thursday, June 4, 2009 4:40:57 AM
Subject: Re: [CentOS] Centos 5.3 - Apache - Under Attack ? Oh hell
PID USER PR NI
- Original Message
From: bruce bedoug...@earthlink.net
To: CentOS mailing list centos@centos.org
Sent: Thursday, June 4, 2009 3:20:24 AM
Subject: Re: [CentOS] Centos 5.3 - Apache - Under Attack ? Oh hell
and if you don't figure out what caused the issue...
working
- Original Message
From: William L. Maltby centos4b...@triad.rr.com
To: CentOS mailing list centos@centos.org
Sent: Thursday, June 4, 2009 12:56:22 AM
Subject: Re: [CentOS] Centos 5.3 - Apache - Under Attack ? Oh hell
On Wed, 2009-06-03 at 09:33 -0700, Linux Advocate
Hi,
On Sat, Jun 13, 2009 at 03:19, Linux Advocatelinuxhous...@yahoo.com wrote:
i'm looking for it bro...the machine is disconnected frm the net but
i have not formatted it yet... i really need to know how it happened
I suggest you start by looking at Apache's logs, look for very strange
when i run httpd -S i get these errors...
[Sat Jun 13 15:14:09 2009] [warn] The Alias directive in
/etc/httpd/conf.d/phpmyadmin.conf at line 11 will probably never match
because it overlaps an earlier Alias.
[Sat Jun 13 15:14:09 2009] [warn] The Alias directive in
On Sat, 2009-06-13 at 00:19 -0700, Linux Advocate wrote:
snip
Note that /dev/shm is a tempfs file system. It will be dynamically
populated. I would expect the attack vector still resides on your system
somewhere else.
i m looking for it bro...the machine is disconnected frm the
replies below...
- Original Message
From: Filipe Brandenburger filbran...@gmail.com
To: CentOS mailing list centos@centos.org
Sent: Saturday, June 13, 2009 9:58:51 PM
Subject: Re: [CentOS] Centos 5.3 - Apache - Under Attack ? Oh hell
I suggest you start by looking
I usually watch and listen to this mailing list but this one really
caught my eye.. I used to do alot of this in the military for 20yrs on
nix boxes. Now I am a net engineer for a mid sized wisp.
I have seen how brutal attacks take place on nix boxes. When I config a
nix box the first thing I
On Wed, 2009-06-03 at 01:57 -0400, JohnS wrote:
On Wed, 2009-06-03 at 00:46 -0500, John R. Dennison wrote:
On Wed, Jun 03, 2009 at 12:30:10AM -0500, Neil Aggarwal wrote:
It would be prudent to review his web code to see
if he did something in an insecure way. If his code
is open
On Wed, Jun 03, 2009 at 01:57:20AM -0400, JohnS wrote:
Dollars to Donuts ehhh???
How many donuts you think it will take to pay for legal costs and clean
up if there are customer data on the machine? I think right about now I
4 chocolate eclairs should cover it :)
But
On Wed, 2009-06-03 at 02:04 -0500, John R. Dennison wrote:
On Wed, Jun 03, 2009 at 01:57:20AM -0400, JohnS wrote:
Dollars to Donuts ehhh???
How many donuts you think it will take to pay for legal costs and clean
up if there are customer data on the machine? I think right about now I
On Wednesday 03 June 2009 06:09:37 John R. Dennison wrote:
He's running an apache instance on cent5. He has processes he
can not readily identify running under apache named atack;
where does windows come into the equation?
Several of the links returned by google have
William Warren wrote:
http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2004-05/0202.html
This has nothing to do with the issue at hand (neither did the other URL
from your earlier mail).
It can *clearly* be seen that there are processes running as the apache
user on that box - so why
bruce wrote:
nope...
not kidding... the majority of windows based attacks on an apache system
running on linux systems are obnoxiousm but not harmful... the kinds of
attacks that are looking to exploit windows buffer overflows are harmless to
linux systems..
Aha. How are active running
Anne Wilson wrote:
On Wednesday 03 June 2009 06:09:37 John R. Dennison wrote:
He's running an apache instance on cent5. He has processes he
can not readily identify running under apache named atack;
where does windows come into the equation?
Several of the
On Wednesday 03 June 2009 12:44:58 Ralph Angenendt wrote:
where does windows come into the equation?
The question I replied to was where does windows come into the equation?.
Anne
--
New to KDE4? - get help from http://userbase.kde.org
Just found a cool new feature? Add it to UserBase
Anne Wilson wrote:
On Wednesday 03 June 2009 06:09:37 John R. Dennison wrote:
He's running an apache instance on cent5. He has processes he
can not readily identify running under apache named atack;
where does windows come into the equation?
Several of the links
Anne Wilson wrote:
On Wednesday 03 June 2009 12:44:58 Ralph Angenendt wrote:
where does windows come into the equation?
No, I did not write that.
The question I replied to was where does windows come into the equation?.
And I asked what made you think that this had anything to do with
My replies below i m just so down in the dumps nowaaah
- Original Message
From: Neil Aggarwal n...@jammconsulting.com
To: CentOS mailing list centos@centos.org
Sent: Wednesday, June 3, 2009 1:38:05 PM
Subject: Re: [CentOS] Centos 5.3 - Apache - Under Attack ? Oh hell
- Original Message
From: Anne Wilson cannewil...@googlemail.com
On Wednesday 03 June 2009 06:09:37 John R. Dennison wrote:
He's running an apache instance on cent5. He has processes he
can not readily identify running under apache named atack;
where
as an aside? did he say if he even looked on the net for anything related to
this??
i tried googling for 'centos apache atack but did not get anything
substantial.
i tried locating a binary file called ' atack' but got nothing.
___
- Original Message
From: John R. Dennison j...@gerdesas.com
I stand by my previous advice - the box is compromised, can not
be trusted, and as a responsible admin he should be working on
re-installing it, evaluating what web-apps he had running that
led to this
Maco:
i am not worried abt reinstalling ( i loathe doing it ) but
my worry here ( as some of you have accurately pointed out )
is that the 'issue' will repeat again bcos i just downt know
what happened. I m just surprised that a centos box was compromised.
If you are only running
Maco:
i have other mandriva boxes and they all are ok. i m just so
surprised that a centos box got compromised.
If you are not doing anything silly in your server
configuration, this is not a CentOS issue.
Anything *can* be hacked. It just so happens
that it was your CentOS box this time.
Linux Advocate wrote:
- Original Message
From: John R. Dennison j...@gerdesas.com
I stand by my previous advice - the box is compromised, can not
be trusted, and as a responsible admin he should be working on
re-installing it, evaluating what web-apps he had
On Wed, Jun 3, 2009 at 9:22 AM, Linux Advocate linuxhous...@yahoo.com wrote:
i am not worried abt reinstalling ( i loathe doing it ) but my worry here (
as some of you have accurately pointed out ) is that the 'issue' will repeat
again bcos i just downt know what happened. I m just
Bill:
Just an FYI to all those who may not know:
$ cat test.c
#include stdlib.h
#include stdio.h
#include string.h
main(int argc, char *argv[])
{
sleep(15);
strcpy(argv[0],test.c);
sleep(15);
exit(0);
}
That is a very cool demonstration.
Thanks for the info.
Neil
--
Neil
On Wed, 2009-06-03 at 11:06 -0400, William L. Maltby wrote:
snip
I just thought of this too.
There are two IDs tracked by the system. Effective (EUID) and the real
ID (UID). If the process has changed UID, by either suid bit or by
program call (I think it has to start as root for that to
On Wed, 2009-06-03 at 06:29 -0700, Linux Advocate wrote:
snip
i tried googling for 'centos apache atack but did not get anything
substantial.
i tried locating a binary file called ' atack' but got nothing.
Just an FYI to all those who may not know:
$ cat test.c
#include stdlib.h
#include
Neil Aggarwal wrote:
Maco:
i have other mandriva boxes and they all are ok. i m just so
surprised that a centos box got compromised.
If you are not doing anything silly in your server
configuration, this is not a CentOS issue.
Anything *can* be hacked. It just so happens
that it was
] Centos 5.3 - Apache - Under Attack ? Oh hell
hi...
i've seen a few of your threads on your issue of the 'atack' processes
running from your web server...
i'm replying to you offline, as ..
take a look over your box, and let's see what you have...
as per yr tip i had found
PM
Subject: RE: [CentOS] Centos 5.3 - Apache - Under Attack ? Oh hell
hi...
i've seen a few of your threads on your issue of the 'atack' processes
running from your web server...
i'm replying to you offline, as ..
take a look over your box, and let's see what you have...
as per
on 6-2-2009 9:09 PM John R. Dennison spake the following:
On Tue, Jun 02, 2009 at 09:01:35PM -0700, Linux Advocate wrote:
o godd.
i have a quite a few linux boxes and not even one has been hacked. oh
man !!
That you have
Further googling indicates that UnixCod is a brute force ssh scanner... what
is is odd is that i have fail2ban ruunning ( which blocks IPs after 2 failed
attempts) and a 8 letter passwd but i still got hacked
Hi Marco,
Just because the app is an SSH scanner doesn't automatically mean
on 6-2-2009 10:18 PM bruce spake the following:
you and i agreee on him figuring out what web apps are causing the issues..
or in fact, exactly what the 'atack' process is? i didn't see the initial
threads.. was this simething that he discussed? did he say what the atack
process was doing?
On Wednesday 03 June 2009 14:09:35 Ralph Angenendt wrote:
Anne Wilson wrote:
On Wednesday 03 June 2009 12:44:58 Ralph Angenendt wrote:
where does windows come into the equation?
No, I did not write that.
True. An error in snipping, somewhere.
The question I replied to was where does
On Wednesday 03 June 2009 14:24:43 Linux Advocate wrote:
- Original Message
From: Anne Wilson cannewil...@googlemail.com
On Wednesday 03 June 2009 06:09:37 John R. Dennison wrote:
He's running an apache instance on cent5. He has processes he
can not readily
And if you have other server set up identically, you might want to
check/secure them before they too are owned
Nevermind identically; you should check all of your systems. If this is a
business environment, you should really think about getting a professional
vulnerability assessment or at
...@centos.org [mailto:centos-boun...@centos.org]on
Behalf Of Scott Silva
Sent: Wednesday, June 03, 2009 10:57 AM
To: centos@centos.org
Subject: Re: [CentOS] Centos 5.3 - Apache - Under Attack ? Oh hell
on 6-2-2009 10:18 PM bruce spake the following:
you and i agreee on him figuring out what web
It would be prudent to review his web code to see if he did
something in an insecure way. If his code is open to attack, it
will be so even if he puts it on a new machine.
Hence my statements to evaluate the web-apps he has running :)
I will bet dollars to donuts he
-Original Message-
To: centos@centos.org
Subject: Re: [CentOS] Centos 5.3 - Apache - Under Attack ?
Oh hell
Maneclairs, donuts, dollars, and even helicopters. This thread has
everything.
And someone is getting served
-Original Message-
Subject: Re: [CentOS] Centos 5.3 - Apache - Under Attack ?
Oh hell
Basically, audit every app out there you plan to use - the
people who write these web applications often don't take
security into consideration before they upload them
PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND
23119 apache15 0 964 556 472 S 0.7 0.0 0:03.68 atack
23479 apache15 0 964 556 472 S 0.7 0.0 0:01.94 atack
22170 apache15 0 964 560 472 S 0.3 0.0 0:05.23 atack
22375 apache15 0
the directory is user:group apache:apache... so check your apache logs
go over your apache logs with a fine toothed comb.
specifically look for:
file timestamps that match files in the directory(May 25 13:56).
POST requests,
this will usually very quickly show you the requests and the
sorry typos amended
Guys, apache's cpu usage is hitting
100% sometimes ( to such an extent that its
very noticeable)
on a box ( 2gb ram) with just 8 users or so. This newver happended before.
i m getting this when i
run 'top'. The worrying thing is seeing the word 'atack'
under
On Tue, Jun 02, 2009 at 08:23:16PM -0700, Linux Advocate wrote:
Hell, has my centos 5.3 box been hacked??? Help !!
Yes. Reinstall; fully update components; restore *data*
from backups (you have backups, right?) and review what
web packages you have installed
John R. Dennison wrote:
On Tue, Jun 02, 2009 at 08:23:16PM -0700, Linux Advocate wrote:
Hell, has my centos 5.3 box been hacked??? Help !!
Yes. Reinstall; fully update components; restore *data*
from backups (you have backups, right?) and review what
John R. Dennison wrote:
On Tue, Jun 02, 2009 at 08:23:16PM -0700, Linux Advocate wrote:
Hell, has my centos 5.3 box been hacked??? Help !!
Yes. Reinstall; fully update components; restore *data*
from backups (you have backups, right?) and review what
some google foo shows this is a WINDOWS exploit not a linux one.
http://www.linuxquestions.org/questions/slackware-14/analyzing-apache-logs-174552/
___
yes, william, i saw those links when i googledi too did no think it related
to me
reply below
- Original Message
From: John R. Dennison j...@gerdesas.com
To: CentOS mailing list centos@centos.org
Sent: Wednesday, June 3, 2009 11:43:46 AM
Subject: Re: [CentOS] Centos 5.3 - Apache - Under Attack ? Oh hell
On Tue, Jun 02, 2009 at 08:23:16PM -0700, Linux
Hello:
If there are processes running on your machine
which you do not recognize, assume the machine has
been compromised. Take it offline and wipe it
immediately.
Neil
--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
Eliminate junk email and reclaim your inbox.
Visit
On Tue, Jun 02, 2009 at 09:01:35PM -0700, Linux Advocate wrote:
o godd.
i have a quite a few linux boxes and not even one has been hacked. oh man
!!
That you have noticed.
really??? i have to format the box.
it's possible your box is attacked, has been compromised.. of it's possible
that it's also being slammed by some sort of potential attack/hack.
regarding the apache app, what do the log files say... what apps do you have
running on the apche server? are these apps home grown, or installed from
On Tue, Jun 02, 2009 at 09:34:55PM -0700, bruce wrote:
it's possible your box is attacked, has been compromised.. of it's possible
that it's also being slammed by some sort of potential attack/hack.
regarding the apache app, what do the log files say... what apps do you have
running on the
as would
others...
but go ahead and reply to me online, as others might be interested in this
thread as well...
-Original Message-
From: John R. Dennison [mailto:j...@gerdesas.com]
Sent: Tuesday, June 02, 2009 9:41 PM
To: bruce
Cc: 'CentOS mailing list'
Subject: Re: [CentOS] Centos 5.3 - Apache
htebruce wrote:
it's possible your box is attacked, has been compromised.. of it's possible
that it's also being slammed by some sort of potential attack/hack.
regarding the apache app, what do the log files say... what apps do you have
running on the apche server? are these apps home grown,
On Tue, Jun 02, 2009 at 09:48:41PM -0700, bruce wrote:
not kidding... the majority of windows based attacks on an apache system
running on linux systems are obnoxiousm but not harmful... the kinds of
attacks that are looking to exploit windows buffer overflows are harmless to
linux systems..
...@centos.org]on
Behalf Of John R. Dennison
Sent: Tuesday, June 02, 2009 10:10 PM
To: CentOS mailing list
Subject: Re: [CentOS] Centos 5.3 - Apache - Under Attack ? Oh hell
On Tue, Jun 02, 2009 at 09:48:41PM -0700, bruce wrote:
not kidding... the majority of windows based attacks on an apache
Bruce:
i'm inclined to think the processs is something on his server...
now, how it got there is a curious issue that he's going to have to
address..
This is precisely the point. An unauthorized user currently
has the ability to run processed on the machine. We do
not know what they have
looked on the net for anything related to
this??
-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org]on
Behalf Of Neil Aggarwal
Sent: Tuesday, June 02, 2009 10:21 PM
To: 'CentOS mailing list'
Subject: Re: [CentOS] Centos 5.3 - Apache - Under Attack ? Oh hell
On Wed, Jun 03, 2009 at 12:30:10AM -0500, Neil Aggarwal wrote:
It would be prudent to review his web code to see
if he did something in an insecure way. If his code
is open to attack, it will be so even if he puts it
on a new machine.
Hence my statements to evaluate the web-apps he
70 matches
Mail list logo