Re: possibly hacked

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



El Jueves, 16 de Noviembre de 2006 17:26, olga@xxxxxxxxxxxxxx escribió:
> Hi,
>
>  I wrote about kernel errors which somebody pointed out was because the
> server was running out of memory.
>
> Now I found the following which makes me think that that server may have
> been compromized.
>
> Here's what I get when I issued: netstat -nap
>
> tcp    0      0 131.x.x.x:38423       72.x.x.x:80      ESTABLISHED 5226/ps
> x tcp    0      0 131.x.x.x:38420       72.x.x.x:80      ESTABLISHED
> 5365/ps x
>
> About a hundred instances of that program 'ps x' running.
>
> Also here's what ps -ef produced:
>
> apache    6323     1  0 10:30 ?        00:00:00 ps x
> apache    6324     1  0 10:30 ?        00:00:00 ps x
> apache    6326     1  0 10:30 ?        00:00:00 ps x
> apache    6328     1  0 10:30 ?        00:00:00 ps x
> apache    6330     1  0 10:30 ?        00:00:00 ps x
>
> Again there are a lot of these?
>
> Any insight anyone?
>
> Thank you.
>
> Olga

Hi Olga, 
That's not enough information, at least for me.

You should look at as many logs as you have, first of all, the apache ones, of 
course. Do you have mod_security running with you apache web server?

Also could be a great idea to look at /tmp (remember to do -a with ls in order 
to look at possible hidden files).

Even if you think that maybe the intruders get shell access trough an apache 
bug (that's not very common) you should try to find out if they have created 
users (especially uid=0 ones). This not pretend to be a forensic guide, ;-) 
if you want a forensic guide, ask me off the list, i wrote one some weeks 
ago.

Hope that helps, and please provide us logs ;-)
Manuel.
-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux