[Cialug] CentOS Security
L. V. Lammert
lvl at omnitec.net
Wed Mar 2 10:20:13 CST 2011
We had a web server (the only services exposed are a few web server &
php, .. not even any ssl or sensitive data) go bonkers a few days
ago, .. it appeared to be running some sort of attack code generating
a humongous amount of outbound traffic on port 80 to a server in
Romania. After finally getting a login I could find nothing unusual,
and, upon rebooting, I could find not locate any trace of a login on
the box nor any unusual changed files.
Two questions:
* Is it possible that the vector was a php attack that was memory
resident (and cleared on reboot)?
* Does it make sense to block *outbound* port 80?
Any suggestions would be appreciated, ..
Lee
More information about the Cialug
mailing list