[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ping22: can not kill this process

Hi Luis:

Did you check to see whether /usr/sbin/apache2 was modified? Or was it
only the running process that had somehow been stack-overflow'd?

        I checked the apache using debsums seems ok.

shopping:/usr/sbin# debsums apache2-mpm-prefork
/usr/sbin/apache2                                                             OK
/usr/share/doc/apache2-mpm-prefork/NEWS.Debian.gz                             OK
/usr/share/doc/apache2-mpm-prefork/copyright                                  OK
/usr/share/doc/apache2-mpm-prefork/changelog.gz                               OK
/usr/share/doc/apache2-mpm-prefork/changelog.Debian.gz                        OK

          How can I check a process being stack-overflowed or not?

IMHO, I'd declare this box as "compromised" and redo the whole thing.
Copy all data to a new box and install tripwire (or something of that
sort), plus follow the Debian security manual to the last bit, before
putting the box online again.

         will do. I had tripwire turned on before, it  seems quite slow. so I turned it off.

A few links:


        great links.

I know that you already had SELinux enabled (after the fact?). So, you
might already have enough information to build a better box.

          Yah, it is a after the fact action. but I have those parameters for SELinux, some lib/apps need that. which may not safe,

allow_execstack --> on
allow_execmem --> on
allow_execmod --> off
allow_execheap --> off

         if the allow_execstack was off and  the application was stack over-flowed, will over-flowed code be constrained by SELinux?

Best Regards

Reply to: