Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 07 Jul 2009 15:50:06 -0700
From:      "" <>
To:        <>
Subject:   Hacker problem...Takes down apache?
Message-ID:  <40db8bb280d58ed7874492a66de0fa86@localhost>

Next in thread | Raw E-Mail | Index | Archive | Help

I run a virtual hosting server and one of my clients got hacked (weak
password in CMS).

 I was able to capture the php script that the hacker uploaded, as well as
some c and perl daemons (one looks to be basically like telnet -- should be
fairly harmless due to the restrictive hardware firewall, plus the one I
saw relies on a bash shell which I don't have). Also another one looks like
a generic network bouncer -- something like netcat. However what I can't
figure out is how it is causing interference with Apache (and possibly
networking in general). 

 The processes I've seen from this are running as www so I don't see
anything to suggest I've been rooted, but how else can it listen something
on port 80? It seems to be doing *something* to break Apache in an attempt
to hijack it.

 * Apache does not come back up from it's nightly log rotation (it
segfaults occasionally when it gets a signal "seg fault or similar nasty
error detected in the parent process" but I
have a script to auto restart
so it's not normally a problem). However top/ps/etc. show it as running.
 SERVER# /usr/local/etc/rc.d/apache22 stop
 apache22 not running? (check /var/run/
 SERVER# /usr/local/etc/rc.d/apache22 start
 Performing sanity check on apache22 configuration:
 Syntax OK
 Starting apache22.
 (48)Address already in use: make_sock: could not bind to address [::]:80
 (48)Address already in use: make_sock: could not bind to address
 no listening sockets available, shutting down
 Unable to open logs 

 After killing all httpd PIDs I am able to start it, and it runs according
to top/ps/etc, but it still does not work.

 * When connecting to port 80 on the web server with a web browser a "page
can not be displayed" error. A "lynx" give error "Alert!: Unable
to access document." However sockstat still shows httpd listening on port

* When doing a packet sniff "ngrep host  and not port 22" I see what
appears to be spammy pages
being served up in response to http queries (tho
they don't seem to make them to any browser). Even more interestingly, I
see http queries for domains/pages I host, but am not accessing from my IP
(standard traffic) even tho the ngrep command should restrict to my IP.
Also what looks like mysql replication environment variables (this server
does not use mysql replication).

 * Somehow there is a perl process listening on port 80......How can an
unprivliged process bind to a low port? 
 www httpd 75975 4 tcp4 *:* *:*
 www httpd 75975 5 tcp46 *:443 *:*
 www httpd 75975 6 tcp4 *:* *:*
 www httpd 75974 3 tcp46 *:80 *:*
 www httpd 75974 4 tcp4 *:* *:*
 www httpd 75974 5 tcp46 *:443 *:*
 www httpd 75974 6 tcp4 *:* *:*
 www httpd 75973 3 tcp46 *:80 *:*
 www httpd 75973 4 tcp4 *:* *:* 

 www perl5.8.8 33537 4 tcp4 *:80 *:*
 www perl5.8.8 33537 6 tcp4 *:443 *:*
 www perl5.8.8 33537 1431tcp4 *:11457 *:*
 www perl5.8.8 33537 1432tcp4 :80  

Want to link to this message? Use this URL: <>