[arch-general] My Apache Sever Compromised?

Theo Jones theo at theojones.name
Mon Mar 31 01:05:43 EDT 2014 

If you are worried about the possibility of  a system compromise here are a few things you could try

1. Check for the presence of any unusual files on your server. A lot of cracks aimed at webservers have the goal of hosting files from the cracked server (usually porn and warez). It might be a good idea to try using a live cd for this because some rootkits can hide the presence of the files from system tools such as the ls command. 
2. Use a tool like wireshark to monitor the incoming and outgoing traffic to the server and look for anything unusual (see https://wiki.archlinux.org/index.php/Wireshark)
3.Check the contents of your /etc/passwd file and look for any unusual user accounts (I also recommend a live CD for this). 
4. Use the ps command to check the running processes, and look for any ususual processes. A lot of cracks modify the ps . A cracked ps often has a much smaller filesize than a regular ps. 
5. Look at the output of the history command to view the past commands used on the server. If it does not return any output or returns commands that you did not enter then this could indicate a problem.
6. Run some rootkit detection programs like chkrootkit or rkhunter (these return a LOT of false positives). 
7. Has anything else been acting up with the server? A lot of cracks break other things. 
---Theo
> Date: Sat, 29 Mar 2014 22:45:35 -0400
> From: imntreal at gmail.com
> To: arch-general at archlinux.org
> Subject: Re: [arch-general] My Apache Sever Compromised?
> 
> On Sat, Mar 29, 2014 at 10:41 PM, Nowaker <enwukaer at gmail.com> wrote:
> >> I'm seeing some very strange behavior from my Apache web server, and
> >> I'm afraid it may have been compromised. Every time I start it, my
> >> router is saturated with the maximum number of connections it can
> >> handle, and my access_log starts filling with lines like:
> >
> > Start whatever HTTP server in place of Apache, and see if you still get
> > these requests by analyzing their access.logs. Then you will know if you
> > really get these requests or they are fake.
> 
> Thanks for the idea. I had just been approaching it from the idea of
> trying to figure out what was going on with Apache. I installed, and
> started Nginx, and sure enough, it started getting blown up with those
> requests. Now, I guess I have to figure out why on earth those
> requests would be coming to my humble home web server.

More information about the arch-general mailing list