El Jueves, 16 de Noviembre de 2006 17:26, olga@xxxxxxxxxxxxxx escribió: > Hi, > > I wrote about kernel errors which somebody pointed out was because the > server was running out of memory. > > Now I found the following which makes me think that that server may have > been compromized. > > Here's what I get when I issued: netstat -nap > > tcp 0 0 131.x.x.x:38423 72.x.x.x:80 ESTABLISHED 5226/ps > x tcp 0 0 131.x.x.x:38420 72.x.x.x:80 ESTABLISHED > 5365/ps x > > About a hundred instances of that program 'ps x' running. > > Also here's what ps -ef produced: > > apache 6323 1 0 10:30 ? 00:00:00 ps x > apache 6324 1 0 10:30 ? 00:00:00 ps x > apache 6326 1 0 10:30 ? 00:00:00 ps x > apache 6328 1 0 10:30 ? 00:00:00 ps x > apache 6330 1 0 10:30 ? 00:00:00 ps x > > Again there are a lot of these? > > Any insight anyone? > > Thank you. > > Olga Hi Olga, That's not enough information, at least for me. You should look at as many logs as you have, first of all, the apache ones, of course. Do you have mod_security running with you apache web server? Also could be a great idea to look at /tmp (remember to do -a with ls in order to look at possible hidden files). Even if you think that maybe the intruders get shell access trough an apache bug (that's not very common) you should try to find out if they have created users (especially uid=0 ones). This not pretend to be a forensic guide, ;-) if you want a forensic guide, ask me off the list, i wrote one some weeks ago. Hope that helps, and please provide us logs ;-) Manuel. -- Manuel Arostegui Ramirez. Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues.
