|
I didnīt have any cronjobs but when I detected the attack I saw one in /var/spool/cron My logifle says User apache: /var/tmp/.autorun/update >/dev/null 2>&1: 2162 Time(s) personal crontab deleted: 56 Time(s) personal crontab listed: 1 Time(s) personal crontab replaced: 1 Time(s)Thanks> Date: Mon, 9 Jan 2012 18:05:38 +0100 > From: info@xxxxxxxxxxxxxxxx > To: users@xxxxxxxxxxxxxxxx > CC: luisa2010@xxxxxxxxxxx > Subject: Re: attack on apache > > On 09/01/2012 16:11, Luisa Ester Navarro wrote: > > My server is being attacked. I think it is from apache because I have found > > commands running with the owner apache. > > My httpd is on /usr/sbin and they run on /usr/local/apache/bin/httpd -DSFSL > > and sh -c curl -o http .... > > > > I don't think they exploited apache, maybe an application level bug. Are the > cronjobs running as the apache user? > > > -- > Simone Caruso > IT Consultant > +39 349 65 90 805 |
|