Server compromised through Apache 2.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I believe that my server was compromised through Apache 2.2!
A few months ago I started having problems with Apache where in it wouldnt
accept connections and pages would just not load. Apon investigating, I
would find the following Commands Running on my server:

apache 30689 0.0 0.1 3748 1992 ? S 14:04 0:00 /usr/local/apache/bin/httpd
-DSSL -m l1
apache 30692 0.0 0.1 3748 1992 ? S 14:04 0:00 /usr/local/apache/bin/httpd
-DSSL -m l2
apache 30695 0.0 0.1 3748 2020 ? S 14:04 0:00 /usr/local/apache/bin/httpd
-DSSL -m l3
apache 30698 0.0 0.2 3880 2052 ? S 14:04 0:00 /usr/local/apache/bin/httpd
-DSSL -m l4
apache 30752 0.0 0.2 3744 2068 ? S 14:04 0:00 /usr/local/apache/bin/httpd
-DSSL -m j1
apache 30755 0.6 0.2 3744 2064 ? S 14:04 0:35 /usr/local/apache/bin/httpd
-DSSL -m j2
apache 30758 1.3 0.2 3744 2072 ? S 14:04 1:14 /usr/local/apache/bin/httpd
-DSSL -m j3
apache 30761 0.6 0.2 3744 2040 ? S 14:04 0:36 /usr/local/apache/bin/httpd
-DSSL -m j4
apache 30856 0.3 0.2 4348 2660 ? S 14:05 0:18 /usr/local/apache/bin/httpd
-DSSL -m f

Not thinking too much of it, I would just manually kill these processes and
restart HTTPD on the server, and everything would be running fine, until the
next day... where the same thing would happen.

Apon investigating and finding that -m is not a valid flag of apache I went
further to find that the directory /usr/local/apache/bin in fact does not
even exist. So I did some more investigating and I found the following file
on my server: /tmp/cmdtemp which contained the following:

==> Fakename: /usr/local/apache/bin/httpd -DSSL PidNum: 30855
[14:05] --- Loading eggdrop v1.6.6 (Wed May 21 2008)
[14:05] Module loaded: transfer
[14:05] Listening at telnet port 9999 (users)
[14:05] Module loaded: channels
[14:05] Module loaded: server
[14:05] Module loaded: ctcp
[14:05] Module loaded: irc
[14:05] Module loaded: share
[14:05] Module loaded: filesys          (with lang support)
[14:05] Module loaded: console          (with lang support)
[14:05] Module loaded: blowfish
[14:05] Module loaded: assoc            (with lang support)
[14:05] Module loaded: wire             (with lang support)
[14:05] aHaserver =======================================
[14:05] aHaserver      NeW HC TcL By jerry
[14:05] aHaserver =======================================
[14:05] aHaserver Prepare To Load...
[14:05] aHaserver jerry » version 2006 Loaded
[14:05] aHaserver jerry.tCl Loaded
[14:05] ProxyCheck.tcl version 1.1 by Ofloo is loaded.
[14:05] Userfile loaded, unpacking...
[14:05] === fubgkyy: 2 channels, 5 users.

Eggdrop v1.6.6 (C)1997 Robey Pointer (C)2001 Eggheads
USERFILE ALREADY EXISTS (drop the '-m')

Eggdrop v1.6.6 (C)1997 Robey Pointer (C)2001 Eggheads
USERFILE ALREADY EXISTS (drop the '-m')
Launched into the background  (pid: 30856)


This obviously means that my server has been compromised. Can anybody
suggest anything that I can do to stop this from happening? Or should I
rather format and reload Ubuntu?

Chris 
-- 
View this message in context: http://www.nabble.com/Server-compromised-through-Apache-2.2-tp17364251p17364251.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux