Help! I'm being attacked
Brian Densmore
DensmoreB at ctbsonline.com
Thu Sep 19 14:32:05 CDT 2002
Hello again. I don't see any trace of an intrusion.
I did apply patches recently but have been away recently and haven't
applied probably the latest patch. Here is something that is bothering
me. Not sure if I configured it like this way back when. Can someone
offer some clue on my syslog file? here is a ps:
root 1 0.0 0.1 1060 68 ? S 2001 4:19 init [3]
root 2 0.0 0.0 0 0 ? SW 2001 0:03 [kflushd]
root 3 0.0 0.0 0 0 ? SW 2001 0:12 [kupdate]
root 4 0.0 0.0 0 0 ? SW 2001 0:27 [kswapd]
root 5 0.0 0.0 0 0 ? SW 2001 0:00 [keventd]
root 297 0.0 0.7 1148 304 ? S 2001 148:16 syslogd
-m 0 -a /home/dns/dev/log
[what is this doing? I don't remember doing this, but did set up
bastille on the box.]
root 322 0.0 0.2 1272 108 ? S 2001 0:30 crond
root 337 0.0 0.1 1080 60 ? S 2001 3:05 inetd
root 352 0.0 2.6 2544 1032 ? S 2001 29:54 named
root 433 0.0 0.8 2148 320 ? S 2001 9:57 sendmail:
accepting connections on
root 513 0.0 0.0 1028 0 tty2 SW 2001 0:00
[mingetty]
root 514 0.0 0.0 1028 0 tty3 SW 2001 0:00
[mingetty]
root 515 0.0 0.0 1028 0 tty4 SW 2001 0:00
[mingetty]
root 516 0.0 0.0 1028 0 tty5 SW 2001 0:00
[mingetty]
root 517 0.0 0.0 1028 0 tty6 SW 2001 0:00
[mingetty]
root 18821 0.0 0.0 1028 0 tty1 SW 2001 0:00
[mingetty]
root 27448 0.0 0.9 2256 356 ? S Jun26 2:37
/usr/local/sbin/sshd2
root 12062 0.0 3.6 3244 1412 ? S Jul04 0:03
/usr/local/apache/bin/httpd -DSSL
nobody 14878 0.0 5.4 3548 2132 ? S Sep15 0:02
/usr/local/apache/bin/httpd -DSSL
nobody 14879 0.0 5.3 3500 2072 ? S Sep15 0:02
/usr/local/apache/bin/httpd -DSSL
nobody 14880 0.0 5.4 3548 2116 ? S Sep15 0:02
/usr/local/apache/bin/httpd -DSSL
nobody 14882 0.0 5.1 3500 1996 ? S Sep15 0:02
/usr/local/apache/bin/httpd -DSSL
nobody 14883 0.0 5.2 3548 2060 ? S Sep15 0:02
/usr/local/apache/bin/httpd -DSSL
nobody 18893 0.0 5.1 3500 1992 ? S Sep15 0:02
/usr/local/apache/bin/httpd -DSSL
nobody 18894 0.0 5.2 3548 2060 ? S Sep15 0:02
/usr/local/apache/bin/httpd -DSSL
nobody 20247 0.0 5.4 3572 2128 ? S Sep15 0:02
/usr/local/apache/bin/httpd -DSSL
nobody 20248 0.0 5.1 3500 2016 ? S Sep15 0:01
/usr/local/apache/bin/httpd -DSSL
nobody 20249 0.0 5.2 3496 2064 ? S Sep15 0:01
/usr/local/apache/bin/httpd -DSSL
Not sure how apache is respawning, as per a log entry. I have to think
that it is ok. Had it really restarted then it would need the passwords
to launch the SSL portion of Apache. I don't see how that is possible.
They are not stored anywhere but in my head or in an encrypted 1024 bit
high security encryption algorithm key form. Someone who have had to
crack the pass phrases or the keys.
Thanks,
Brian
> -----Original Message-----
> From: Dustin Decker [mailto:dustind at moon-lite.com]
> Sent: Wednesday, September 18, 2002 9:31 PM
> To: KCLUG (E-mail)
> Subject: RE: Help! I'm being attacked
>
>
> On Wed, 18 Sep 2002, Brian Densmore wrote:
>
> > Something else I meant to include. I see a suEXEC in the
> log. Any issue
> > here?
>
> http://www.cert.org/advisories/CA-2002-27.html
>
> Looks like you've been hit by the slapper/Apache mod_ssl worm.
> Dustin
Don't see this anywhere on the system.
More information about the Kclug
mailing list