Re: Is this an attack?

[Marek Podmaka <marki@marki-online.net>]

Hello,

Tuesday, December 7, 2010, 13:59:41, Matus UHLAR - fantomas wrote:

> On 07.12.10 10:40, Rodolfo Barbosa wrote:
>> One of my servers, that's still running the old Debian Etch,
>> is been the responsible for de crash of my entire internet
>> access.
>> 
>> Every time that my internet access gets down, I see an weird
>> process called 'std' or 'S' always running by www-data user
>> that consumes all the machine process and network resources.
>> 
>> Is this any know attack? I need to get good arguments to
>> convince the users of this server to allow me to get it
>> upgraded.

Probably some php script was exploited.
Look at /proc/<pid>, mainly "cwd" which is link to its working directory (probably
will be some directory inside of webroot), then "exe" which
should point to the executable itself (will be probably already
removed by the attacker). Also check open files ("fd"), check netstat
-anp to see if it is not listening on some port...
From start time of the process and its working directory you should
know which virtualhost was abused and know the timeframe to look in
access log.

I don't think it is because of old debian and/or missing security
updates - it is because of badly written php scripts. If possible, use
apache's mod_security and php's suhosin to automatically block all
such attemps (however mainly mod_security has some false positives).

-- 
  bYE, Marki