Help - Search - Members - Calendar
Full Version: How to identify Apache worm
The Planet Forums > Security > General Security
Chris-M
Jul 24 2009, 09:47 AM
Can anyone help with how to identify what worm has infected our CentOS 5 server?

Apache is redirecting to Malware URLs randomly on all sites on the server, but I have run scans with ClamAV/rkhunter/chrootkit and none of them found anything.

The server is running Apache 2.2.3-22.el5.centos.2, PHP 5.1.6-23.2.el5_3 and Plesk 8.3.0.

Restarting Apache temporarily resolves the problem but then it comes back, presumably whenever the vulnerable script is exploited again.

Any help is much appreciated, thanks.

Chris
rfxn
Jul 24 2009, 01:29 PM
run the following and provide output:
ps -U nobody | grep -v httpd
Chris-M
Jul 24 2009, 05:19 PM
Hi rfxn,

No results from that output:

CODE
[root@server ~]# ps -U nobody | grep -v httpd
  PID TTY          TIME CMD


Thanks.
rfxn
Jul 24 2009, 08:13 PM
Chris, if you contact me directly at RASupportRyan on aim or rfxn@msn.com on msn I would be very much interested in helping you explore this issue further.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.