I didnĀ“t have any cronjobs but when I detected the attack I saw one in
/var/spool/cron
My logifle says
User apache: /var/tmp/.autorun/update >/dev/null 2>&1: 2162 Time(s)
personal crontab deleted: 56 Time(s) personal crontab listed: 1 Time(s)
personal crontab replaced: 1 Time(s)Thanks
> Date: Mon, 9 Jan 2012 18:05:38 +0100
> From: i...@simonecaruso.com
> To: users@httpd.apache.org
> CC: luisa2...@hotmail.com
> Subject: Re: [users@httpd] attack on apache
>
> On 09/01/2012 16:11, Luisa Ester Navarro wrote:
> > My server is being attacked. I think it is from apache because I have found
> > commands running with the owner apache.
> > My httpd is on /usr/sbin and they run on /usr/local/apache/bin/httpd -DSFSL
> > and sh -c curl -o http ....
> >
>
> I don't think they exploited apache, maybe an application level bug. Are the
> cronjobs running as the apache user?
>
>
> --
> Simone Caruso
> IT Consultant
> +39 349 65 90 805
