Re: ping22: can not kill this process

Hi Luis:

        thanks.

>
> Did you check to see whether /usr/sbin/apache2 was modified? Or was it
> only the running process that had somehow been stack-overflow'd?
>

        I checked the apache using debsums seems ok.

shopping:/usr/sbin# debsums apache2-mpm-prefork /usr/sbin/apache2
OK
/usr/share/doc/apache2-mpm-prefork/NEWS.Debian.gz OK
/usr/share/doc/apache2-mpm-prefork/copyright OK
/usr/share/doc/apache2-mpm-prefork/changelog.gz OK
/usr/share/doc/apache2-mpm-prefork/changelog.Debian.gz OK

          How can I check a process being stack-overflowed or not?

> IMHO, I'd declare this box as "compromised" and redo the whole thing.
> Copy all data to a new box and install tripwire (or something of that
> sort), plus follow the Debian security manual to the last bit, before
> putting the box online again.

         will do. I had tripwire turned on before, it seems quite slow. so I turned it off.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

>
> A few links:
>
> http://www.debian.org/doc/manuals/securing-debian-howto
> http://wiki.debian.org/SELinux/Setup
> http://wiki.debian.org/Hardening|Hardening<http://wiki.debian.org/Hardening%7CHardening>
>

        great links.

>
> I know that you already had SELinux enabled (after the fact?). So, you
> might already have enough information to build a better box.
>

          Yah, it is a after the fact action. but I have those parameters for SELinux, some lib/apps need that. which may not safe,

allow_execstack --> on
allow_execmem --> on
allow_execmod --> off
allow_execheap --> off

         if the allow_execstack was off and  the application was stack

-- 
Best Regards

Mike



-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org