Re: apache compromised to send spam, need way to check file access

From: Newsbox (nospam_for_me_please_at_thanks.invalid)
Date: 04/25/05 

Date: Mon, 25 Apr 2005 02:44:11 -0400

On Mon, 25 Apr 2005 05:28:15 +0000, Jem Berkes wrote:

>> What I desperately need is to find a way to see what web directory
>> files are being unusually accessed a lot, with regard to the rest of
>> the site.
>
Jem is a smart guy who has helped me more than once before (and right
here!) What he says has value.

> Sorry, I just skimmed through your post. Remember that you really can't
> trust any tools you use (even as root) on a compromised host.

It is regrettable that you find yourself in this predicament. Please
don't let it happen to you again. As complex as your requirements are,
you should be using an IDS like tripwire, for early alerts for intrusions.
That's 20/20 hindsight, but probably too late and not what you need most
right now.

http://www.tripwire.org/

Get some tools that you can trust, so you can see what has really
happened. Many would say to immediately disconnect, and they would have
good reasons. Whether you immediately disconnect or not might be your own
choice in the short term. As long as you don't disconnect, whoever may
have access to your systems may continue to infect and restrict your
efforts.

Often, the best immediate forensic response is to boot from a "read only"
OS like Knoppix (CD-ROM).

        www.knoppix.org

http://cart.cheapbytes.com/cgi-bin/cart/scan/mp=category/se=502/tf=title.html?id=en9NQIQV

> But I would be tempted to try using 'lsof' (install it if you don't
> already have it) to see what files are currently in use. As the web
> server fetches files, they will be visible by lsof in real-time.

If you cannot promptly control this, them please disconnect. I wish you
well and good luck.