On Fri, 2005-25-11 at 22:12 +0530, Ritesh Raj Sarraf wrote: > In my first mail, the logs showed a lot of "sh" defunct processes executed > from within apache. Is this an attempt to gain the shell through the web > server ? > > Please suggest me what more should I look for and how to tackle this attack. Do you have mod_php installed? Are you running any php based applications? Some of them have potential vulnerabilities if certain functions are being used, I don't recall off hand which ones. From your first post i would have thought that you had a perl script that was running in an infinite loop. However I don't know why you should have a /usr/sbin/httpd application on you system let alone why it would be running it. Debian I don't believe ever calls any web process httpd. So I would check with dpkg what package that file belongs to. If I were you I would probably disconnect that server from the internet until you sort out what is going on, what is causing the problems and if any of your files have been compromised. The longer you leave your system up and running with symptoms of being compromised the longer you leave yourself exposed to actually being compromised or getting your system further into a state of non-recovery. You can probably try installing and running chkrootkit along with tiger. These might help determine how and if your system is actually compromised. I hope that this helps. -- o) Derek Wueppelmann (o (D . monkey@monkey.homeip.net D). ((` http://monkey.homeip.net/ ( ) `
Attachment:
signature.asc
Description: This is a digitally signed message part