httpd -DSSL

[krusty]

We recently had a user using an old install of php. And a comprimisin script was running under the /cache folder.

Anyhow the script was using

httpd -DSSL

And so was easy to spot running via netstat -anp.

My gut feeling is the script is still on the server

as i'm getting tons of

10564 nobody 0 0.0 3.0 /usr/local/apache/bin/httpd -DSSL
10565 nobody 0 0.0 3.3 /usr/local/apache/bin/httpd -DSSL
11014 nobody 0 0.0 3.1 /usr/local/apache/bin/httpd -DSSL
11026 nobody 0 0.0 3.1 /usr/local/apache/bin/httpd -DSSL
11177 nobody 0 0.0 2.9 /usr/local/apache/bin/httpd -DSSL
12396 nobody 0 0.0 2.1 /usr/local/apache/bin/httpd -DSSL
13142 nobody 0 0.0 2.8 /usr/local/apache/bin/httpd -DSSL
13591 nobody 0 0.0 2.8 /usr/local/apache/bin/httpd -DSSL

For instance. but the weird thing is at the moment that is showing up on whm ( Main >> System Health >> Show Current CPU Usage). but via netstat.

If i kill these processes - more seem to pop up..

Can I assume these are comprimised scripts runing?

[rejected]

No. That is the web server binary's running. httpd is the binary -DSSL is to enable SSL support.

[krusty]

No. That is the web server binary's running. httpd is the binary -DSSL is to enable SSL support.

heres what netstat -anp gives us


tcp 0 1 69.46.24.172:33517 82.102.13.85:6667 SYN_SENT 11245/httpd -DSSL
tcp 0 1 69.46.24.172:33519 82.102.13.85:6667 SYN_SENT 11256/httpd -DSSL
tcp 0 1 69.46.24.172:33522 82.102.13.85:6667 SYN_SENT 31995/httpd -DSSL
tcp 0 1 69.46.24.172:33527 82.102.13.85:6667 SYN_SENT 32022/httpd -DSSL
tcp 0 1 69.46.24.172:33528 82.102.13.85:6667 SYN_SENT 32037/httpd -DSSL
tcp 0 1 69.46.24.172:33531 82.102.13.85:6667 SYN_SENT 11280/httpd -DSSL
tcp 0 1 69.46.24.172:33539 82.102.13.85:6667 SYN_SENT 14983/httpd -DSSL
tcp 0 1 69.46.24.172:33541 82.102.13.85:6667 SYN_SENT 15008/httpd -DSSL
tcp 0 1 69.46.24.172:33542 82.102.13.85:6667 SYN_SENT 15031/httpd -DSSL
tcp 0 1 69.46.24.172:56432 62.212.130.136:6667 SYN_SENT 27945/httpd -DSSL
tcp 0 1 69.46.24.172:56436 62.212.130.136:6667 SYN_SENT 27369/httpd -DSSL
tcp 0 1 69.46.24.172:56424 62.212.130.136:6667 SYN_SENT 27340/httpd -DSSL


I have csf running and obviously the 6667 ports are blocked. I Know its a script(s) running but i'm not having complete success in removing all them.

[nyjimbo]

"/usr/local/apache/bin/httpd -DSSL" is the binary running, it is not the script. Check to be sure of the binaries date, size, file format, etc to be sure.

However if you think a "script" is running then it would likely show up as a cgi program or a perl program. If you think the binary is running something that is allowing a port then you might have a bigger problem because httpd should not be listening on any ports but the ones you tell it to.

Did you do "ps ax" to see everything AND run the "apache status" in the CP to see what exactly apache is feeding?. Normally running the "ps ax" or something with more info will show you the PIDs of the http tasks then you can run the apache status to see what those tasks are doing and who is requesting the info. It really should show itself pretty easily.

But are you sure the 6667 is blocked?. Seems like your apache might be trying to respond to a IRC server, but that normally means you have a bad apache httpd OR a perl program masquerading as an apache (but that would usually show up as perl on a "TOP" or a "ps axj" or something.

[krusty]

"/usr/local/apache/bin/httpd -DSSL" is the binary running, it is not the script. Check to be sure of the binaries date, size, file format, etc to be sure.

However if you think a "script" is running then it would likely show up as a cgi program or a perl program. If you think the binary is running something that is allowing a port then you might have a bigger problem because httpd should not be listening on any ports but the ones you tell it to.

Did you do "ps ax" to see everything AND run the "apache status" in the CP to see what exactly apache is feeding?. Normally running the "ps ax" or something with more info will show you the PIDs of the http tasks then you can run the apache status to see what those tasks are doing and who is requesting the info. It really should show itself pretty easily.

But are you sure the 6667 is blocked?. Seems like your apache might be trying to respond to a IRC server, but that normally means you have a bad apache httpd OR a perl program masquerading as an apache (but that would usually show up as perl on a "TOP" or a "ps axj" or something.

We are using the csf firewall so the sever should be blocking those ports (in theory). The reason i am suspecting a script is because we were alerted to an irc being dos'd from our server and indeed there was a nice php script, hidden in an old phpbb cache directory of an old customer(yes bad maintance on that incident).