Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 1732 invoked from network); 2 Feb 2005 21:30:57 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 2 Feb 2005 21:30:57 -0000 Received: (qmail 71274 invoked by uid 500); 2 Feb 2005 21:30:46 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 71254 invoked by uid 500); 2 Feb 2005 21:30:46 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 71240 invoked by uid 99); 2 Feb 2005 21:30:45 -0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=INFO_TLD,NO_REAL_NAME X-Spam-Check-By: apache.org Received-SPF: neutral (hermes.apache.org: local policy) Received: from mercury0.easily.co.uk (HELO easily.co.uk) (213.161.76.90) by apache.org (qpsmtpd/0.28) with ESMTP; Wed, 02 Feb 2005 13:30:44 -0800 Received: from [217.34.45.74] (HELO server2k.sentinetcomputing.local) by easily.co.uk (CommuniGate Pro SMTP 4.1.3) with ESMTP id 108707636 for users@httpd.apache.org; Wed, 02 Feb 2005 21:30:38 +0000 Received: from server2k.sentinetcomputing.local ([192.168.42.10]) by server2k.sentinetcomputing.local with Microsoft SMTPSVC(5.0.2195.6713); Wed, 2 Feb 2005 21:30:35 +0000 Received: by server2k.sentinetcomputing.local (Microsoft Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global POP3 Download) id MSG02022005-213033-2362.MMD@sentinetcomputing.local; Wed, 2 Feb 2005 21:30:33 -0000 Received: from localhost by kinsei.thewillards.local with SpamAssassin (version 3.0.0); Wed, 02 Feb 2005 21:01:09 +0000 From: mailarch@xy1.org To: users@httpd.apache.org Date: Wed, 2 Feb 2005 22:09:53 +0100 Message-Id: <20050202210953.GA16381@xy1.org> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on kinsei.thewillards.local X-Spam-Level: * X-Spam-Status: Yes, score=1.9 required=1.9 tests=FORGED_RCVD_HELO,INFO_TLD, LOCAL_HTTP,NO_REAL_NAME autolearn=no version=3.0.0 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_42013F95.ADCC98A5" X-OriginalArrivalTime: 02 Feb 2005 21:30:35.0296 (UTC) FILETIME=[6E62FA00:01C5096E] X-Virus-Checked: Checked Subject: [users@httpd] Hacked ? /usr/local/apache/bin/httpd -DSSL ? X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N ------------=_42013F95.ADCC98A5 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system "kinsei.thewillards.local", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see postmaster@thewillards.co.uk for details. Content preview: Hello, I run an Apache/1.3.29 (Debian GNU/Linux) mod_gzip/1.3.26.1a PHP/4.3.3 mod_ssl/2.8.16 OpenSSL/0.9.7c. Today I have seen with the top command two Perl process by www-data which occupied all my CPU resources. [...] Content analysis details: (1.9 points, 1.9 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 NO_REAL_NAME From: does not include a real name 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.2 LOCAL_HTTP BODY: Has web link 0.5 INFO_TLD URI: Contains an URL in the INFO top-level domain ------------=_42013F95.ADCC98A5 Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: inline Content-Transfer-Encoding: 8bit Return-Path: X-Original-To: sentinetbackup@localhost Delivered-To: sentinetbackup@localhost.thewillards.local Received: from localhost (localhost.localdomain [127.0.0.1]) by kinsei.thewillards.local (Postfix) with ESMTP id 0EE2B481DD5 for ; Wed, 2 Feb 2005 16:01:04 -0500 (EST) Received: from customermail.easily.co.uk [217.206.220.10] by localhost with POP3 (fetchmail-6.2.1) for sentinetbackup@localhost (single-drop); Wed, 02 Feb 2005 21:01:04 +0000 (GMT) Received: from [212.53.64.115] (HELO encke.easily.co.uk) by easily.co.uk (CommuniGate Pro SMTP 4.1.3) with ESMTP id 108705240 for uvyhipys5y4k@customermail.easily.co.uk; Wed, 02 Feb 2005 21:09:10 +0000 Received: from [209.237.227.199] (port=51818 helo=mail.apache.org) by encke.easily.co.uk with smtp (NetBenefit 2.0) id 1CwRkK-0001hC-Rn for chris.willard@sentinetcomputing.com; Wed, 02 Feb 2005 21:09:13 +0000 Received: (qmail 95739 invoked by uid 500); 2 Feb 2005 21:09:01 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 95719 invoked by uid 99); 2 Feb 2005 21:09:00 -0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=FORGED_RCVD_HELO,INFO_TLD,NO_REAL_NAME X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from fw.ferraro.net (HELO smtp.trashmail.net) (213.41.144.50) by apache.org (qpsmtpd/0.28) with ESMTP; Wed, 02 Feb 2005 13:08:59 -0800 Received: by smtp.trashmail.net (Postfix, from userid 1019) id 31DB633C87; Wed, 2 Feb 2005 22:09:53 +0100 (CET) Date: Wed, 2 Feb 2005 22:09:53 +0100 To: users@httpd.apache.org Message-ID: <20050202210953.GA16381@xy1.org> User-Agent: Mutt/1.5.5.1+cvs20040105i From: mailarch@xy1.org X-Virus-Checked: Checked Subject: [users@httpd] Hacked ? /usr/local/apache/bin/httpd -DSSL ? X-SRS-Rewrite: SMTP reverse-path rewritten from by encke.easily.co.uk See http://www.infradead.org/rpr.html X-Originally-To: chris.willard@sentinetcomputing.com X-SRS-Rewrite: SMTP reverse-path rewritten from by encke.easily.co.uk See http://www.infradead.org/rpr.html X-Originally-To: sales@sentinetcomputing.com X-SRS-Rewrite: SMTP reverse-path rewritten from by encke.easily.co.uk See http://www.infradead.org/rpr.html X-Sanitizer: Advosys mail filter MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline Hello, I run an Apache/1.3.29 (Debian GNU/Linux) mod_gzip/1.3.26.1a PHP/4.3.3 mod_ssl/2.8.16 OpenSSL/0.9.7c. Today I have seen with the top command two Perl process by www-data which occupied all my CPU resources. ps aux | grep pid_number_of_one_of_this_perl_processes gave me that: melanie:/usr/local# ps aux | grep 10813 www-data 10813 48.8 0.3 5128 3456 ? R 20:54 11:18 /usr/local/apache/bin/httpd -DSSL root 12615 0.0 0.0 2056 732 pts/0 R 21:18 0:00 grep 10813 But I don't have a /usr/local/apache directory!!! Does somebody has hacked my apache web server? Should I contact the Debian apache package maintainer? Because I use the Debian stable version. -- saf http://Archivum.info/ - Administrator --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org ------------=_42013F95.ADCC98A5 Content-Type: text/plain; charset=us-ascii --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org ------------=_42013F95.ADCC98A5--