The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

httpd -DSSL

Discussion in 'General Discussion' started by krusty, Jun 17, 2007.

  1. krusty

    krusty Member

    Joined:
    Apr 1, 2004
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    We recently had a user using an old install of php. And a comprimisin script was running under the /cache folder.

    Anyhow the script was using

    httpd -DSSL

    And so was easy to spot running via netstat -anp.

    My gut feeling is the script is still on the server

    as i'm getting tons of

    10564 nobody 0 0.0 3.0 /usr/local/apache/bin/httpd -DSSL
    10565 nobody 0 0.0 3.3 /usr/local/apache/bin/httpd -DSSL
    11014 nobody 0 0.0 3.1 /usr/local/apache/bin/httpd -DSSL
    11026 nobody 0 0.0 3.1 /usr/local/apache/bin/httpd -DSSL
    11177 nobody 0 0.0 2.9 /usr/local/apache/bin/httpd -DSSL
    12396 nobody 0 0.0 2.1 /usr/local/apache/bin/httpd -DSSL
    13142 nobody 0 0.0 2.8 /usr/local/apache/bin/httpd -DSSL
    13591 nobody 0 0.0 2.8 /usr/local/apache/bin/httpd -DSSL

    For instance. but the weird thing is at the moment that is showing up on whm ( Main >> System Health >> Show Current CPU Usage). but via netstat.

    If i kill these processes - more seem to pop up..

    Can I assume these are comprimised scripts runing?
     
  2. rejected

    rejected Well-Known Member

    Joined:
    Sep 19, 2006
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    0
    No. That is the web server binary's running. httpd is the binary -DSSL is to enable SSL support.
     
  3. krusty

    krusty Member

    Joined:
    Apr 1, 2004
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    heres what netstat -anp gives us


    tcp 0 1 69.46.24.172:33517 82.102.13.85:6667 SYN_SENT 11245/httpd -DSSL
    tcp 0 1 69.46.24.172:33519 82.102.13.85:6667 SYN_SENT 11256/httpd -DSSL
    tcp 0 1 69.46.24.172:33522 82.102.13.85:6667 SYN_SENT 31995/httpd -DSSL
    tcp 0 1 69.46.24.172:33527 82.102.13.85:6667 SYN_SENT 32022/httpd -DSSL
    tcp 0 1 69.46.24.172:33528 82.102.13.85:6667 SYN_SENT 32037/httpd -DSSL
    tcp 0 1 69.46.24.172:33531 82.102.13.85:6667 SYN_SENT 11280/httpd -DSSL
    tcp 0 1 69.46.24.172:33539 82.102.13.85:6667 SYN_SENT 14983/httpd -DSSL
    tcp 0 1 69.46.24.172:33541 82.102.13.85:6667 SYN_SENT 15008/httpd -DSSL
    tcp 0 1 69.46.24.172:33542 82.102.13.85:6667 SYN_SENT 15031/httpd -DSSL
    tcp 0 1 69.46.24.172:56432 62.212.130.136:6667 SYN_SENT 27945/httpd -DSSL
    tcp 0 1 69.46.24.172:56436 62.212.130.136:6667 SYN_SENT 27369/httpd -DSSL
    tcp 0 1 69.46.24.172:56424 62.212.130.136:6667 SYN_SENT 27340/httpd -DSSL


    I have csf running and obviously the 6667 ports are blocked. I Know its a script(s) running but i'm not having complete success in removing all them.
     
  4. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    "/usr/local/apache/bin/httpd -DSSL" is the binary running, it is not the script. Check to be sure of the binaries date, size, file format, etc to be sure.

    However if you think a "script" is running then it would likely show up as a cgi program or a perl program. If you think the binary is running something that is allowing a port then you might have a bigger problem because httpd should not be listening on any ports but the ones you tell it to.

    Did you do "ps ax" to see everything AND run the "apache status" in the CP to see what exactly apache is feeding?. Normally running the "ps ax" or something with more info will show you the PIDs of the http tasks then you can run the apache status to see what those tasks are doing and who is requesting the info. It really should show itself pretty easily.

    But are you sure the 6667 is blocked?. Seems like your apache might be trying to respond to a IRC server, but that normally means you have a bad apache httpd OR a perl program masquerading as an apache (but that would usually show up as perl on a "TOP" or a "ps axj" or something.
     
  5. krusty

    krusty Member

    Joined:
    Apr 1, 2004
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    We are using the csf firewall so the sever should be blocking those ports (in theory). The reason i am suspecting a script is because we were alerted to an irc being dos'd from our server and indeed there was a nice php script, hidden in an old phpbb cache directory of an old customer(yes bad maintance on that incident).
     
Loading...

Share This Page