LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-27-2007, 07:14 PM   #1
guillermo
LQ Newbie
 
Registered: Aug 2007
Location: Argentina
Posts: 25

Rep: Reputation: 15
Angry http sercurity problem/attack?


Hello in my /var/log/secure i have tons of this report, anyone know what does it mean exactly ?

Sep 27 12:00:01 hostname sudo: root : TTY=unknown ; PWD=/root ; USER=apache ; COMMAND=/usr/bin/find /var/www/path/path -type f -name *.dat -mtime +1 -exec /bin/rm -rf {} ;

Im under a attack ? how can i stop it ??

Any clue will be very helpfully!!!

Regards!
 
Old 09-27-2007, 10:20 PM   #2
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 335Reputation: 335Reputation: 335Reputation: 335
Quote:
Originally Posted by guillermo
Sep 27 12:00:01 hostname sudo: root : TTY=unknown ; PWD=/root ; USER=apache ; COMMAND=/usr/bin/find /var/www/path/path -type f -name *.dat -mtime +1 -exec /bin/rm -rf {} ;
This is really self explanatory if you take a moment to look at each part of the message. This says that the user logged in on the account named apache is using sudo to run the find command as root. The find command is searching /var/www/path/path for regular files named *.dat that were last accessed more than one day ago. Then it deletes these files. TTY = unknown because this process is not logged in on a terminal; it is a detached process. It is either a cron job or the apache daemon process is running it directly. PWD = /root because it has used sudo to act as the root account for the find command.

The reason that it shows up in your security log is because your system is set to log all uses of the sudo command. This is a good thing.

It looks like this is just a normal maintenance procedure for apache. I don't know why it wants to run as the root account but the command that it is running is not going to hurt anything unless you want to keep the files that it is deleting.

By the way this had better not be homework. I noticed that your other post is about running apache. If you are taking a class don't bring your homework here for us to do for you.

Last edited by stress_junkie; 09-27-2007 at 10:32 PM.
 
Old 09-27-2007, 10:52 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by stress_junkie View Post
last accessed more than one day ago.
I'm sure you meant "last modified more than one day ago".
 
Old 09-27-2007, 11:21 PM   #4
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 335Reputation: 335Reputation: 335Reputation: 335
Quote:
Originally Posted by win32sux View Post
I'm sure you meant "last modified more than one day ago".
Oh. Hmmmph. Ah. Yes. That's what I meant.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
apache: http://localhost (work) http://ipaddress (not working) sarmad Linux - Newbie 7 02-05-2013 08:47 AM
monodoc-http gives a http 500 internal server error ernesto_cgf Linux - Software 0 05-10-2007 04:48 PM
Traffic attack, huge size in http log vincentltl Linux - Security 2 04-03-2006 07:52 AM
Urgent Help Sercurity Problem stevep119 Linux - Security 4 01-29-2002 08:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration