httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Laura Vance <>
Subject Re: [users@httpd] Hacked ? /usr/local/apache/bin/httpd -DSSL ?
Date Wed, 02 Feb 2005 21:33:01 GMT
A system that I administer was hacked last Easter.  It had been hacked 
twice before that, and I was replacing the software that I thought was 
the culprit, until I found after the Easter hack that something that I 
didn't think about was the problem.

The apache logs showed bad SSL handshake attempts.  It had 30 to 100 in 
rapid succession.  I realized that it wasn't a flaw in apache that was 
being hacked, but a flaw in the SSL engine that was being exploited.  I 
upgraded to OpenSSL version 0.9.7d, and I haven't been hacked since 
(knock on wood).  I think there's an even newer version of OpenSSL out, 
but I haven't checked to see if it addresses security holes or features.

I can't say if this is what happened to you, but it's something to check.

Also, like everyone else said, look for unusual files in /tmp/ /var/tmp/ 
and /usr/tmp/  That seems to be where all of the bad stuff sets itself 
up.  Keep an eye on your system security checks for world writable 
files, because the hacker files are always world writable.

Good Luck wrote:

>I run an Apache/1.3.29 (Debian GNU/Linux) mod_gzip/ PHP/4.3.3 mod_ssl/2.8.16
>Today I have seen with the top command two Perl process by www-data which occupied all
my CPU resources.
>ps aux | grep pid_number_of_one_of_this_perl_processes gave me that:
>melanie:/usr/local# ps aux | grep 10813
>www-data 10813 48.8  0.3  5128 3456 ?        R    20:54  11:18 /usr/local/apache/bin/httpd
>root     12615  0.0  0.0  2056  732 pts/0    R    21:18   0:00 grep 10813
>But I don't have a /usr/local/apache directory!!!
>Does somebody has hacked my apache web server?
>Should I contact the Debian apache package maintainer? Because I use the Debian stable
Laura Vance
Systems Engineer
Winfree Academy Charter Schools

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message