[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security Guideance

Subject: Security Guideance
From: dwhite at olp.net (Dan White)
Date: Tue, 23 Feb 2010 14:39:41 -0600
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]>

On 23/02/10?15:19?-0500, Ronald Cotoni wrote:
>Quick suggestion BUT you may want to have Parallels look into it if
>you can't seem to find it since you pay for the support anyways.  You
>may also want to check to see if it is a cron job that is doing it (if
>the machine was root kitted, you may have accidentally copied a cron
>job over.  Another suggestion would be simply move half the accounts
>to one server and half to another and see if it ddoses again and keep
>doing that until you find the problem account.

I'll second that. I've found a few interesting items in my
/var/spool/cron/crontab before.

Also check your web server logs. If someone has compromised an account via
an apache/php vulnerability, it might show up in your access/error log
(I saw 'wget' in my logs once).

I assume you've checked 'last' to make sure they're not getting in via a
remote shell.

ls -ltra is your friend when finding the most recently created files in your
filesystem.

If you suspect there's a running process doing it, look through your /proc
directory, like in /proc/<pid>/environ, /proc/<pid>/cmdline, etc.

-- 
Dan White

Follow-Ups:
- Security Guideance
  - From: acv at miniguru.ca (acv)

References:
- Security Guideance
  - From: pstewart at nexicomgroup.net (Paul Stewart)
- Security Guideance
  - From: setient at gmail.com (Ronald Cotoni)

Prev by Date: Security Guideance
Next by Date: Security Guideance
Previous by thread: Security Guideance
Next by thread: Security Guideance
Index(es):
- Date
- Thread