httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Barrera A." <Br...@Ivn.cl>
Subject Re: [users@httpd] Hacked ? /usr/local/apache/bin/httpd -DSSL ?
Date Wed, 02 Feb 2005 21:14:24 GMT
Someone uploaded a perl file that changes its own process name. (i say 
it is perl, cause it is pretty common now)
Look at any weird name at /tmp /var/tmp or /usr/tmp , like raiden.pl etc.
Kill the process, and delete the file.
After that, see the logs, and find the insecure site.

mailarch@xy1.org wrote:
> Hello,
> 
> I run an Apache/1.3.29 (Debian GNU/Linux) mod_gzip/1.3.26.1a PHP/4.3.3 mod_ssl/2.8.16
OpenSSL/0.9.7c.
> 
> Today I have seen with the top command two Perl process by www-data which occupied all
my CPU resources.
> 
> ps aux | grep pid_number_of_one_of_this_perl_processes gave me that:
> 
> melanie:/usr/local# ps aux | grep 10813
> www-data 10813 48.8  0.3  5128 3456 ?        R    20:54  11:18 /usr/local/apache/bin/httpd
-DSSL
> root     12615  0.0  0.0  2056  732 pts/0    R    21:18   0:00 grep 10813
> 
> But I don't have a /usr/local/apache directory!!!
> 
> Does somebody has hacked my apache web server?
> 
> Should I contact the Debian apache package maintainer? Because I use the Debian stable
version.
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message