Help! I'm being attacked

Brian Densmore DensmoreB at ctbsonline.com
Thu Sep 19 14:32:05 CDT 2002 

Hello again. I don't see any trace of an intrusion.
I did apply patches recently but have been away recently and haven't
applied probably the latest patch. Here is something that is bothering
me. Not sure if I configured it like this way back when. Can someone
offer some clue on my syslog file? here is a ps:

root         1  0.0  0.1  1060   68 ?        S     2001   4:19 init [3]
root         2  0.0  0.0     0    0 ?        SW    2001   0:03 [kflushd]
root         3  0.0  0.0     0    0 ?        SW    2001   0:12 [kupdate]
root         4  0.0  0.0     0    0 ?        SW    2001   0:27 [kswapd]
root         5  0.0  0.0     0    0 ?        SW    2001   0:00 [keventd]
root       297  0.0  0.7  1148  304 ?        S     2001 148:16 syslogd
-m 0 -a /home/dns/dev/log
[what is this doing? I don't remember doing this, but did set up
bastille on the box.]

root       322  0.0  0.2  1272  108 ?        S     2001   0:30 crond
root       337  0.0  0.1  1080   60 ?        S     2001   3:05 inetd
root       352  0.0  2.6  2544 1032 ?        S     2001  29:54 named
root       433  0.0  0.8  2148  320 ?        S     2001   9:57 sendmail:
accepting connections on
root       513  0.0  0.0  1028    0 tty2     SW    2001   0:00
[mingetty]
root       514  0.0  0.0  1028    0 tty3     SW    2001   0:00
[mingetty]
root       515  0.0  0.0  1028    0 tty4     SW    2001   0:00
[mingetty]
root       516  0.0  0.0  1028    0 tty5     SW    2001   0:00
[mingetty]
root       517  0.0  0.0  1028    0 tty6     SW    2001   0:00
[mingetty]
root     18821  0.0  0.0  1028    0 tty1     SW    2001   0:00
[mingetty]
root     27448  0.0  0.9  2256  356 ?        S    Jun26   2:37
/usr/local/sbin/sshd2
root     12062  0.0  3.6  3244 1412 ?        S    Jul04   0:03
/usr/local/apache/bin/httpd -DSSL
nobody   14878  0.0  5.4  3548 2132 ?        S    Sep15   0:02
/usr/local/apache/bin/httpd -DSSL
nobody   14879  0.0  5.3  3500 2072 ?        S    Sep15   0:02
/usr/local/apache/bin/httpd -DSSL
nobody   14880  0.0  5.4  3548 2116 ?        S    Sep15   0:02
/usr/local/apache/bin/httpd -DSSL
nobody   14882  0.0  5.1  3500 1996 ?        S    Sep15   0:02
/usr/local/apache/bin/httpd -DSSL
nobody   14883  0.0  5.2  3548 2060 ?        S    Sep15   0:02
/usr/local/apache/bin/httpd -DSSL
nobody   18893  0.0  5.1  3500 1992 ?        S    Sep15   0:02
/usr/local/apache/bin/httpd -DSSL
nobody   18894  0.0  5.2  3548 2060 ?        S    Sep15   0:02
/usr/local/apache/bin/httpd -DSSL
nobody   20247  0.0  5.4  3572 2128 ?        S    Sep15   0:02
/usr/local/apache/bin/httpd -DSSL
nobody   20248  0.0  5.1  3500 2016 ?        S    Sep15   0:01
/usr/local/apache/bin/httpd -DSSL
nobody   20249  0.0  5.2  3496 2064 ?        S    Sep15   0:01
/usr/local/apache/bin/httpd -DSSL

Not sure how apache is respawning, as per a log entry. I have to think
that it is ok. Had it really restarted then it would need the passwords
to launch the SSL portion of Apache. I don't see how that is possible.
They are not stored anywhere but in my head or in an encrypted 1024 bit
high security encryption algorithm key form. Someone who have had to
crack the pass phrases or the keys.

Thanks,
Brian

> -----Original Message-----
> From: Dustin Decker [mailto:dustind at moon-lite.com]
> Sent: Wednesday, September 18, 2002 9:31 PM
> To: KCLUG (E-mail)
> Subject: RE: Help! I'm being attacked 
> 
> 
> On Wed, 18 Sep 2002, Brian Densmore wrote:
> 
> > Something else I meant to include. I see a suEXEC in the 
> log. Any issue
> > here?
> 
> http://www.cert.org/advisories/CA-2002-27.html
> 
> Looks like you've been hit by the slapper/Apache mod_ssl worm.
> Dustin

Don't see this anywhere on the system.

More information about the Kclug mailing list