El Jueves, 16 de Noviembre de 2006 17:26, olga(a)urbantimes.net escribió:
Hi,
I wrote about kernel errors which somebody pointed out was because the
server was running out of memory.
Now I found the following which makes me think that that server may have
been compromized.
Here's what I get when I issued: netstat -nap
tcp 0 0 131.x.x.x:38423 72.x.x.x:80 ESTABLISHED 5226/ps
x tcp 0 0 131.x.x.x:38420 72.x.x.x:80 ESTABLISHED
5365/ps x
About a hundred instances of that program 'ps x' running.
Also here's what ps -ef produced:
apache 6323 1 0 10:30 ? 00:00:00 ps x
apache 6324 1 0 10:30 ? 00:00:00 ps x
apache 6326 1 0 10:30 ? 00:00:00 ps x
apache 6328 1 0 10:30 ? 00:00:00 ps x
apache 6330 1 0 10:30 ? 00:00:00 ps x
Again there are a lot of these?
Any insight anyone?
Thank you.
Olga
Hi Olga,
That's not enough information, at least for me.
You should look at as many logs as you have, first of all, the apache ones, of
course. Do you have mod_security running with you apache web server?
Also could be a great idea to look at /tmp (remember to do -a with ls in order
to look at possible hidden files).
Even if you think that maybe the intruders get shell access trough an apache
bug (that's not very common) you should try to find out if they have created
users (especially uid=0 ones). This not pretend to be a forensic guide, ;-)
if you want a forensic guide, ask me off the list, i wrote one some weeks
ago.
Hope that helps, and please provide us logs ;-)
Manuel.
--
Manuel Arostegui Ramirez.
Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.