Need an Advice!

[Voltar]

Did this show up during a recompile with EasyApache?

Edit: bah wtf on the post ordering.

[MakassarNET]

I received a lots of report email from my server with the following information.

Time: Wed Feb 11 12:54:39 2009 +0800
PID: 13071
Account: nobody
Uptime: 119 seconds


Executable:

/usr/local/apache/bin/httpd (deleted)

The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.


Command Line (often faked in exploits):

/usr/local/apache/bin/httpd -k start -DSSL


Network connections by the process (if any):

tcp: 0.0.0.0:80 -> 0.0.0.0:0
tcp: 0.0.0.0:443 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/usr/local/apache/logs/error_log
/dev/urandom
/usr/local/apache/logs/modsec_audit.log
/usr/local/apache/logs/modsec_debug_log
/usr/local/apache/domlogs/xxxxxxx.net-ssl_data_log
/usr/local/apache/logs/access_log
/usr/local/apache/domlogs/xxxxxxx.net-bytes_log
/usr/local/apache/domlogs/xxxxxxx.net-ssl_log
/usr/local/apache/domlogs/xxxxxxx.net
/usr/local/apache/domlogs/xxxxxxx.net-bytes_log
/usr/local/apache/domlogs/xxxxxxx.net
/usr/local/apache/domlogs/xxxxxxx.com-bytes_log
/usr/local/apache/domlogs/xxxxxxx.com
/usr/local/apache/logs/ssl_mutex (deleted) /usr/local/apache/logs/mod_jk.log
/usr/local/apache/logs/jk-runtime-status.26846
/usr/local/apache/logs/jk-runtime-status.26846.lock
eventpoll:[35500800]

I need an advice from someone if something is wrong with my server or does my server is compromise?

Thanks before.


Sincerely,

[Infopro]

The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.

Wrong forum, try here:
http://forum.configserver.com/showthread.php?t=2059

[hydra]

Hi,

This usually is because of the auto update of cpanel or the os.
Check if there was actually an update of those files.

[MakassarNET]

I have found the problem. The errors actually coming after I upgrade my MySQL from 4.x to 5.x and I didn't recompile the Apache. It's done now. Thanks.


Sincerely,