Jump to content

Server Hacked through Apache 2.2???


netdynamix

Recommended Posts

Hi,

 

I believe that my server was compromised through Apache 2.2!

A few months ago I started having problems with Apache where in it wouldnt accept connections and pages would just not load. Apon investigating, I would find the following Commands Running on my server:

 

apache 30689 0.0 0.1 3748 1992 ? S 14:04 0:00 /usr/local/apache/bin/httpd -DSSL -m l1

apache 30692 0.0 0.1 3748 1992 ? S 14:04 0:00 /usr/local/apache/bin/httpd -DSSL -m l2

apache 30695 0.0 0.1 3748 2020 ? S 14:04 0:00 /usr/local/apache/bin/httpd -DSSL -m l3

apache 30698 0.0 0.2 3880 2052 ? S 14:04 0:00 /usr/local/apache/bin/httpd -DSSL -m l4

apache 30752 0.0 0.2 3744 2068 ? S 14:04 0:00 /usr/local/apache/bin/httpd -DSSL -m j1

apache 30755 0.6 0.2 3744 2064 ? S 14:04 0:35 /usr/local/apache/bin/httpd -DSSL -m j2

apache 30758 1.3 0.2 3744 2072 ? S 14:04 1:14 /usr/local/apache/bin/httpd -DSSL -m j3

apache 30761 0.6 0.2 3744 2040 ? S 14:04 0:36 /usr/local/apache/bin/httpd -DSSL -m j4

apache 30856 0.3 0.2 4348 2660 ? S 14:05 0:18 /usr/local/apache/bin/httpd -DSSL -m f

 

Not thinking too much of it, I would just manually kill these processes and restart HTTPD on the server, and everything would be running fine, until the next day... where the same thing would happen.

 

Apon investigating and finding that -m is not a valid flag of apache I went further to find that the directory /usr/local/apache/bin in fact does not even exist. So I did some more investigating and I found the following file on my server: /tmp/cmdtemp which contained the following:

 

==> Fakename: /usr/local/apache/bin/httpd -DSSL PidNum: 30855

[14:05] --- Loading eggdrop v1.6.6 (Wed May 21 2008)

[14:05] Module loaded: transfer

[14:05] Listening at telnet port 9999 (users)

[14:05] Module loaded: channels

[14:05] Module loaded: server

[14:05] Module loaded: ctcp

[14:05] Module loaded: irc

[14:05] Module loaded: share

[14:05] Module loaded: filesys          (with lang support)

[14:05] Module loaded: console          (with lang support)

[14:05] Module loaded: blowfish

[14:05] Module loaded: assoc            (with lang support)

[14:05] Module loaded: wire            (with lang support)

[14:05] aHaserver =======================================

[14:05] aHaserver      NeW HC TcL By jerry

[14:05] aHaserver =======================================

[14:05] aHaserver Prepare To Load...

[14:05] aHaserver jerry » version 2006 Loaded

[14:05] aHaserver jerry.tCl Loaded

[14:05] ProxyCheck.tcl version 1.1 by Ofloo is loaded.

[14:05] Userfile loaded, unpacking...

[14:05] === fubgkyy: 2 channels, 5 users.

 

Eggdrop v1.6.6 ©1997 Robey Pointer ©2001 Eggheads

USERFILE ALREADY EXISTS (drop the '-m')

 

Eggdrop v1.6.6 ©1997 Robey Pointer ©2001 Eggheads

USERFILE ALREADY EXISTS (drop the '-m')

Launched into the background  (pid: 30856)

 

 

This obviously means that my server has been compromised. Can anybody suggest anything that I can do to stop this from happening? Or should I rather format and reload Ubuntu?

 

Chris

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.