Re: possibly hacked

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



El Jueves, 16 de Noviembre de 2006 17:26, olga@xxxxxxxxxxxxxx escribió:
> Hi,
>
>  I wrote about kernel errors which somebody pointed out was because the
> server was running out of memory.
>
> Now I found the following which makes me think that that server may have
> been compromized.
>
> Here's what I get when I issued: netstat -nap
>
> tcp    0      0 131.x.x.x:38423       72.x.x.x:80      ESTABLISHED 5226/ps
> x tcp    0      0 131.x.x.x:38420       72.x.x.x:80      ESTABLISHED
> 5365/ps x
>
> About a hundred instances of that program 'ps x' running.
>
> Also here's what ps -ef produced:
>
> apache    6323     1  0 10:30 ?        00:00:00 ps x
> apache    6324     1  0 10:30 ?        00:00:00 ps x
> apache    6326     1  0 10:30 ?        00:00:00 ps x
> apache    6328     1  0 10:30 ?        00:00:00 ps x
> apache    6330     1  0 10:30 ?        00:00:00 ps x
>
> Again there are a lot of these?
>
> Any insight anyone?
>
> Thank you.
>
> Olga

Hi Olga, 
That's not enough information, at least for me.

You should look at as many logs as you have, first of all, the apache ones, of 
course. Do you have mod_security running with you apache web server?

Also could be a great idea to look at /tmp (remember to do -a with ls in order 
to look at possible hidden files).

Even if you think that maybe the intruders get shell access trough an apache 
bug (that's not very common) you should try to find out if they have created 
users (especially uid=0 ones). This not pretend to be a forensic guide, ;-) 
if you want a forensic guide, ask me off the list, i wrote one some weeks 
ago.

Hope that helps, and please provide us logs ;-)
Manuel.
-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux