netdynamix Posted May 21, 2008 Share Posted May 21, 2008 Hi, I believe that my server was compromised through Apache 2.2! A few months ago I started having problems with Apache where in it wouldnt accept connections and pages would just not load. Apon investigating, I would find the following Commands Running on my server: apache 30689 0.0 0.1 3748 1992 ? S 14:04 0:00 /usr/local/apache/bin/httpd -DSSL -m l1 apache 30692 0.0 0.1 3748 1992 ? S 14:04 0:00 /usr/local/apache/bin/httpd -DSSL -m l2 apache 30695 0.0 0.1 3748 2020 ? S 14:04 0:00 /usr/local/apache/bin/httpd -DSSL -m l3 apache 30698 0.0 0.2 3880 2052 ? S 14:04 0:00 /usr/local/apache/bin/httpd -DSSL -m l4 apache 30752 0.0 0.2 3744 2068 ? S 14:04 0:00 /usr/local/apache/bin/httpd -DSSL -m j1 apache 30755 0.6 0.2 3744 2064 ? S 14:04 0:35 /usr/local/apache/bin/httpd -DSSL -m j2 apache 30758 1.3 0.2 3744 2072 ? S 14:04 1:14 /usr/local/apache/bin/httpd -DSSL -m j3 apache 30761 0.6 0.2 3744 2040 ? S 14:04 0:36 /usr/local/apache/bin/httpd -DSSL -m j4 apache 30856 0.3 0.2 4348 2660 ? S 14:05 0:18 /usr/local/apache/bin/httpd -DSSL -m f Not thinking too much of it, I would just manually kill these processes and restart HTTPD on the server, and everything would be running fine, until the next day... where the same thing would happen. Apon investigating and finding that -m is not a valid flag of apache I went further to find that the directory /usr/local/apache/bin in fact does not even exist. So I did some more investigating and I found the following file on my server: /tmp/cmdtemp which contained the following: ==> Fakename: /usr/local/apache/bin/httpd -DSSL PidNum: 30855 [14:05] --- Loading eggdrop v1.6.6 (Wed May 21 2008) [14:05] Module loaded: transfer [14:05] Listening at telnet port 9999 (users) [14:05] Module loaded: channels [14:05] Module loaded: server [14:05] Module loaded: ctcp [14:05] Module loaded: irc [14:05] Module loaded: share [14:05] Module loaded: filesys (with lang support) [14:05] Module loaded: console (with lang support) [14:05] Module loaded: blowfish [14:05] Module loaded: assoc (with lang support) [14:05] Module loaded: wire (with lang support) [14:05] aHaserver ======================================= [14:05] aHaserver NeW HC TcL By jerry [14:05] aHaserver ======================================= [14:05] aHaserver Prepare To Load... [14:05] aHaserver jerry » version 2006 Loaded [14:05] aHaserver jerry.tCl Loaded [14:05] ProxyCheck.tcl version 1.1 by Ofloo is loaded. [14:05] Userfile loaded, unpacking... [14:05] === fubgkyy: 2 channels, 5 users. Eggdrop v1.6.6 ©1997 Robey Pointer ©2001 Eggheads USERFILE ALREADY EXISTS (drop the '-m') Eggdrop v1.6.6 ©1997 Robey Pointer ©2001 Eggheads USERFILE ALREADY EXISTS (drop the '-m') Launched into the background (pid: 30856) This obviously means that my server has been compromised. Can anybody suggest anything that I can do to stop this from happening? Or should I rather format and reload Ubuntu? Chris Quote Link to comment Share on other sites More sharing options...
steviewdr Posted May 23, 2008 Share Posted May 23, 2008 Format and reload the OS. Keep all security updates for the OS applied. apt-get update apt-get upgrade -steve Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.