FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 12-24-2009, 11:01 AM
"Manu Verhaegen"
 
Default attack

Hi,

We have plesk running, i have running logwatch and i have found a IP adress.
I have add it in the IP table to block it then the attack is solved.
We see a lot of outgouing emails a php script is used for sending many emails possible stored in the database.

I have use the following command
grep 'ipadres' /var/www/vhosts/*/statistics/logs/access_log
grep 'ipadres' /var/log/httpd/access.log

it do not find any record.

Regards,
Manu Verhaegen



-----Oorspronkelijk bericht-----
Van: centos-bounces@centos.org [mailto:centos-bounces@centos.org] Namens Pete
Verzonden: donderdag 24 december 2009 12:45
Aan: CentOS mailing list
Onderwerp: Re: [CentOS] attack

On Thu, 2009-12-24 at 11:31 +0000, Manu Verhaegen wrote:
> Hi,
>
> My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script.
>
> Regards,
> maverh

Hi Maverh,

I know this may sound like a silly question but how do you know your
server is under attack ? As others have advised, have you checked your
logs on the server ? What are you running that's being attacked ?

/var/log/httpd

/var/log/messages


Regards,

Pete.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-24-2009, 11:04 AM
"Manu Verhaegen"
 
Default attack

at the moment everiting is solved i have block the IP adress but i d'ont have found the script


>----- Oorspronkelijk bericht -----
>Van
: david@pnyet.web.id [mailto:david@pnyet.web.id]
>Verzonden
: donderdag
, december
24, 2009 01:07 PM
>Aan
: 'CentOS mailing list'
>Onderwerp
: Re: [CentOS] attack
>
>Triying find to what are users running on spacific command, you should using top or ps or netstat please read the manual how to use it. After all and you get some info unpluge your server from internet, see what log says.
>
>------Original Message------
>From: Manu Verhaegen
>Sender: centos-bounces@centos.org
>To: centos@centos.org
>ReplyTo: CentOS mailing list
>Subject: [CentOS] attack
>Sent: Dec 24, 2009 6:31 PM
>
>Hi,
>
>My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script.
>
>Regards,
> maverh
>
>
>
>
>
>
>_______________________________________________
>CentOS mailing list
>CentOS@centos.org
>http://lists.centos.org/mailman/listinfo/centos
>
>
>Warm regards,
>David
>---------------------
>./nobody
>_______________________________________________
>CentOS mailing list
>CentOS@centos.org
>http://lists.centos.org/mailman/listinfo/centos
>
>


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-24-2009, 11:07 AM
"Thomas Dukes"
 
Default attack

> -----Original Message-----
> From: centos-bounces@centos.org
> [mailto:centos-bounces@centos.org] On Behalf Of Manu Verhaegen
> Sent: Thursday, December 24, 2009 7:04 AM
> To: CentOS mailing list
> Subject: Re: [CentOS] attack
>
> at the moment everiting is solved i have block the IP adress
> but i d'ont have found the script
>

So you are the attacker. Happened to me a couple weeks ago.

Check your tmp directory and subdirectory for std, udp.pl. Also check
/etc/passwd and /etc/shadow for unusual users. Should be at the very bottom
of those files.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-24-2009, 11:07 AM
 
Default attack

Triying find to what are users running on spacific command, you should using top or ps or netstat please read the manual how to use it. After all and you get some info unpluge your server from internet, see what log says.

------Original Message------
From: Manu Verhaegen
Sender: centos-bounces@centos.org
To: centos@centos.org
ReplyTo: CentOS mailing list
Subject: [CentOS] attack
Sent: Dec 24, 2009 6:31 PM

Hi,

My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script.

Regards,
maverh






_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Warm regards,
David
---------------------
./nobody
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-24-2009, 11:22 AM
Karanbir Singh
 
Default attack

Hello

On 12/24/2009 12:01 PM, Manu Verhaegen wrote:
> We have plesk running, i have running logwatch and i have found a IP adress.
> I have add it in the IP table to block it then the attack is solved.
> We see a lot of outgouing emails a php script is used for sending many emails possible stored in the database.


you also have a broken email client, what are the chances that you could:

a) find an email client that preserves thread sanity
b) refrain from topposting unless absolutely necessary

--
Karanbir Singh
London, UK | http://www.karan.org/ | twitter.com/kbsingh
ICQ: 2522219 | Yahoo IM: z00dax | Gtalk: z00dax
GnuPG Key : http://www.karan.org/publickey.asc
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-24-2009, 11:45 AM
"Manu Verhaegen"
 
Default attack

Hi,

i have Check my tmp directory and subdirectorys for std, udp.pl no file exist. Also i have check /etc/passwd and /etc/shadow for unusual users.

regards

-----Oorspronkelijk bericht-----
Van: centos-bounces@centos.org [mailto:centos-bounces@centos.org] Namens Thomas Dukes
Verzonden: donderdag 24 december 2009 13:08
Aan: 'CentOS mailing list'
Onderwerp: Re: [CentOS] attack



> -----Original Message-----
> From: centos-bounces@centos.org
> [mailto:centos-bounces@centos.org] On Behalf Of Manu Verhaegen
> Sent: Thursday, December 24, 2009 7:04 AM
> To: CentOS mailing list
> Subject: Re: [CentOS] attack
>
> at the moment everiting is solved i have block the IP adress
> but i d'ont have found the script
>

So you are the attacker. Happened to me a couple weeks ago.

Check your tmp directory and subdirectory for std, udp.pl. Also check
/etc/passwd and /etc/shadow for unusual users. Should be at the very bottom
of those files.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-24-2009, 11:58 AM
"R-Elists"
 
Default attack

> Hi,
>
> i have Check my tmp directory and subdirectorys for std,
> udp.pl no file exist. Also i have check /etc/passwd and
> /etc/shadow for unusual users.
>
> regards

Manu,

forgive me if i missed it when i deleted several of the posts in the thread
yet how hard is it to check all the pertinent logfiles?

unless this is a very sophisticated compromise that hides, moves, or deletes
things, or the management system is trash, the info you need is "typically"
in one or more of the various logfiles on the system

something as simple

man less

less /var/log/httpd/access_log

less /var/log/httpd/error_log

replace appropriate logfile names as necessary...

in general, there are many you can look at to gain some wisdom...

- rh

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-24-2009, 01:31 PM
Kai Schaetzl
 
Default attack

Obviously, if you are running several vhosts and plesk you likely have
other logs to check. Also, one can usually see the origin of the mail
injection in the maillog (e.g. complaints about setting to an unsafe
sender) or in the outgoing messages. At runtime you can see the connects
with full URLs on the apache status page.

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-24-2009, 01:48 PM
"Manu Verhaegen"
 
Default attack

Hi,

i ame checking this

thanks,
Manu


-----Oorspronkelijk bericht-----
Van: centos-bounces@centos.org [mailto:centos-bounces@centos.org] Namens Kai Schaetzl
Verzonden: donderdag 24 december 2009 15:32
Aan: centos@centos.org
Onderwerp: Re: [CentOS] attack

Obviously, if you are running several vhosts and plesk you likely have
other logs to check. Also, one can usually see the origin of the mail
injection in the maillog (e.g. complaints about setting to an unsafe
sender) or in the outgoing messages. At runtime you can see the connects
with full URLs on the apache status page.

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-24-2009, 03:20 PM
Andy Sutton
 
Default attack

http://www.atomicorp.com/wiki/index.php/Atomic_Secured_Linux

Wraps a lot of "good stuff" together for a plesk web server on CentOS.
Won't help much if you are already compromised, but it would be a good
addition.

-Andy


On Thu, 2009-12-24 at 12:01 +0000, Manu Verhaegen wrote:
> Hi,
>
> We have plesk running, i have running logwatch and i have found a IP adress.
> I have add it in the IP table to block it then the attack is solved.
> We see a lot of outgouing emails a php script is used for sending many emails possible stored in the database.
>
> I have use the following command
> grep 'ipadres' /var/www/vhosts/*/statistics/logs/access_log
> grep 'ipadres' /var/log/httpd/access.log
>
> it do not find any record.
>
> Regards,
> Manu Verhaegen
>
>
>
> -----Oorspronkelijk bericht-----
> Van: centos-bounces@centos.org [mailto:centos-bounces@centos.org] Namens Pete
> Verzonden: donderdag 24 december 2009 12:45
> Aan: CentOS mailing list
> Onderwerp: Re: [CentOS] attack
>
> On Thu, 2009-12-24 at 11:31 +0000, Manu Verhaegen wrote:
> > Hi,
> >
> > My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script.
> >
> > Regards,
> > maverh
>
> Hi Maverh,
>
> I know this may sound like a silly question but how do you know your
> server is under attack ? As others have advised, have you checked your
> logs on the server ? What are you running that's being attacked ?
>
> /var/log/httpd
>
> /var/log/messages
>
>
> Regards,
>
> Pete.
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 08:36 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org