On 12/03/2010 11:56 AM, abhishek jain <abhishek.netj...@gmail.com> wrote:
hi friends,
I today noticed my VPS was running too slow, then i logged into root , and
found a lot of load on it (> 240 ).
I did a ps -ef and a lot of process were running, a lot of them were
user1 23771 1 0 15:36 pts/0 00:00:02 ./atack 800
Also in WHM i see a process
I think that's the drawback of using control panels such as whm, cpanel
etc. They may contain security holes due to which an attacker can gain
access on the server.
I'm not sure what type of attack this is, but maybe the attacker didn't
get access through ssh. What you can do is, check out /tmp directory and
if using php then php's tmp directory (/var/lib/php5?) and you may see
some perl files which are being executed. If that's the case, then in
the short term what you can do is
1. Put noexec privileges on /tmp partition. If /tmp partition is not
separate, then maybe you can use dd to create 1 or 2 GB file (depending
on the file) and mount it as /tmp with noexec privileges. That way even
if the attacker manages to upload the file in the /tmp directory,
executing it would be difficult.
2. Shutdown WHM if that's possible, till you identify and resolve the issue.
What I'd suggest in the long term is
1. Regularly update your linux installation. That's critical.
2. Update your WHM or whatever control panel is there if they offer
updates. If they don't offer updates then switch to a one which offers one.
3. Maybe replace WHM with ISPConfig, though I cannot vouch for the
safety of any.
4. Run ssh on a different port or block access if that's possible (allow
only to specific IPs via iptables).
5. Update your PHP installation if you're using any. Maybe it's one of
your own applications (created by you, or some OSS application that
you're using) rather than WHM which is flawed. That will require some
significant log analysis of your web server logs.
Hope it helps.
Regards
Vivek Kapoor
http://exain.com
_______________________________________________
Ilugd mailing list
Ilugd@lists.linux-delhi.org
http://frodo.hserus.net/mailman/listinfo/ilugd
