FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian ISP

 
 
LinkBack Thread Tools
 
Old 12-07-2010, 12:39 PM
Marek Podmaka
 
Default Is this an attack?

Hello,

Tuesday, December 7, 2010, 13:59:41, Matus UHLAR - fantomas wrote:

> On 07.12.10 10:40, Rodolfo Barbosa wrote:
>> One of my servers, that's still running the old Debian Etch,
>> is been the responsible for de crash of my entire internet
>> access.
>>
>> Every time that my internet access gets down, I see an weird
>> process called 'std' or 'S' always running by www-data user
>> that consumes all the machine process and network resources.
>>
>> Is this any know attack? I need to get good arguments to
>> convince the users of this server to allow me to get it
>> upgraded.

Probably some php script was exploited.
Look at /proc/<pid>, mainly "cwd" which is link to its working directory (probably
will be some directory inside of webroot), then "exe" which
should point to the executable itself (will be probably already
removed by the attacker). Also check open files ("fd"), check netstat
-anp to see if it is not listening on some port...
From start time of the process and its working directory you should
know which virtualhost was abused and know the timeframe to look in
access log.

I don't think it is because of old debian and/or missing security
updates - it is because of badly written php scripts. If possible, use
apache's mod_security and php's suhosin to automatically block all
such attemps (however mainly mod_security has some false positives).

--
bYE, Marki


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1526669390.20101207143900@marki-online.net">http://lists.debian.org/1526669390.20101207143900@marki-online.net
 
Old 12-07-2010, 12:44 PM
Thomas Goirand
 
Default Is this an attack?

----- Original message -----
> One of my servers, that's still running the old Debian Etch,

gosh... It's been nearly a year that ther is no
security support for it, and nearly 2 years Lenny
is out, soon Squeeze will come too (in fact, we
started to use it in production already). Why
didn't you upgrade?

Thomas


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1291729465.2417.2.camel@Nokia-N900-42-11">http://lists.debian.org/1291729465.2417.2.camel@Nokia-N900-42-11
 
Old 12-07-2010, 12:46 PM
Thomas Goirand
 
Default Is this an attack?

----- Original message -----
> simply upgrading the server will not make exploits like this go away.
> you should check your apache logfiles (do not forget about the error
> logs) and look for any suspicious output (e.g. wget output).

But having a not upgraded kernel might help to
become root!

Thomas


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1291729596.2417.5.camel@Nokia-N900-42-11">http://lists.debian.org/1291729596.2417.5.camel@Nokia-N900-42-11
 
Old 12-07-2010, 01:35 PM
Matus UHLAR - fantomas
 
Default Is this an attack?

> ----- Original message -----
> > One of my servers, that's still running the old Debian Etch,

On 07.12.10 21:44, Thomas Goirand wrote:
> gosh... It's been nearly a year that ther is no
> security support for it, and nearly 2 years Lenny
> is out, soon Squeeze will come too (in fact, we
> started to use it in production already). Why
> didn't you upgrade?

just remember to upgrade to lenny before it's EOL
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101207143527.GA23647@fantomas.sk">http://lists.debian.org/20101207143527.GA23647@fantomas.sk
 
Old 12-07-2010, 02:03 PM
"Ing. Otto Marroquin"
 
Default Is this an attack?

It seems like your server was hijacked and is been used to send spam ...
Check your IP in the rbl databases...

Matus UHLAR - fantomas wrote:

----- Original message -----


One of my servers, that's still running the old Debian Etch,



On 07.12.10 21:44, Thomas Goirand wrote:


gosh... It's been nearly a year that ther is no
security support for it, and nearly 2 years Lenny
is out, soon Squeeze will come too (in fact, we
started to use it in production already). Why
didn't you upgrade?



just remember to upgrade to lenny before it's EOL




--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4CFE4CB5.7020802@celera.net">http://lists.debian.org/4CFE4CB5.7020802@celera.net
 
Old 12-07-2010, 02:35 PM
"Jesús M. Navarro"
 
Default Is this an attack?

Hi, Rodolfo:

On Tuesday 07 December 2010 13:40:54 Rodolfo Barbosa wrote:
> Hi,
>
> One of my servers, that's still running the old Debian Etch,
> is been the responsible for de crash of my entire internet
> access.

What do you mean, your "entire internet access"? Is it consuming bandwith? is
it managing to alter some other systems?

> Every time that my internet access gets down, I see an weird
> process called 'std' or 'S' always running by www-data user
> that consumes all the machine process and network resources.

So it's probably someone found a bug on some app you are offering through your
web server which is serving data on your back. It might pose further dangers
like gaining root privileges through known bugs in Etch's kernel.

> Is this any know attack?

Yes. It is plently known that you *never* *ever* should abandon an
Internet-facing server on an EOL-ed operative system or app.

> I need to get good arguments to
> convince the users of this server to allow me to get it
> upgraded.

You don't need any argument to upgrade a system prior to become EOL-ed: you
stablish it as your working policy and act accordingly.

Cheers.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201012071635.44069.jesus.navarro@undominio.net">ht tp://lists.debian.org/201012071635.44069.jesus.navarro@undominio.net
 
Old 12-07-2010, 03:38 PM
Andre Lorenz
 
Default Is this an attack?

On 07.12.2010 13:40, Rodolfo Barbosa wrote:
> Hi,
>
> One of my servers, that's still running the old Debian Etch,
> is been the responsible for de crash of my entire internet
> access.
>
> Every time that my internet access gets down, I see an weird
> process called 'std' or 'S' always running by www-data user
> that consumes all the machine process and network resources.
>
> Is this any know attack? I need to get good arguments to
> convince the users of this server to allow me to get it
> upgraded.
>
> Thank's
> --
> Rodolfo Barbosa
> Lunar Consultoria
> barbosa.rodolfo@lunarconsultoria.com.br
> CEL: +55 (35) 9132-0764
>
>
>
>
hi,

did u run a tool like rkhunter or chkrootkit ?
this will help u find out of modified systemfiles.

any u should update your server.

regards


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4CFE6302.1020502@highsecure-net.de">http://lists.debian.org/4CFE6302.1020502@highsecure-net.de
 

Thread Tools




All times are GMT. The time now is 05:02 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org