MakassarNET

Well-Known Member
Dec 6, 2004
45
0
156
I received a lots of report email from my server with the following information.

Time: Wed Feb 11 12:54:39 2009 +0800
PID: 13071
Account: nobody
Uptime: 119 seconds


Executable:

/usr/local/apache/bin/httpd (deleted)

The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.


Command Line (often faked in exploits):

/usr/local/apache/bin/httpd -k start -DSSL


Network connections by the process (if any):

tcp: 0.0.0.0:80 -> 0.0.0.0:0
tcp: 0.0.0.0:443 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/usr/local/apache/logs/error_log
/dev/urandom
/usr/local/apache/logs/modsec_audit.log
/usr/local/apache/logs/modsec_debug_log
/usr/local/apache/domlogs/xxxxxxx.net-ssl_data_log
/usr/local/apache/logs/access_log
/usr/local/apache/domlogs/xxxxxxx.net-bytes_log
/usr/local/apache/domlogs/xxxxxxx.net-ssl_log
/usr/local/apache/domlogs/xxxxxxx.net
/usr/local/apache/domlogs/xxxxxxx.net-bytes_log
/usr/local/apache/domlogs/xxxxxxx.net
/usr/local/apache/domlogs/xxxxxxx.com-bytes_log
/usr/local/apache/domlogs/xxxxxxx.com
/usr/local/apache/logs/ssl_mutex (deleted) /usr/local/apache/logs/mod_jk.log
/usr/local/apache/logs/jk-runtime-status.26846
/usr/local/apache/logs/jk-runtime-status.26846.lock
eventpoll:[35500800]
I need an advice from someone if something is wrong with my server or does my server is compromise?

Thanks before.


Sincerely,
 

Infopro

Well-Known Member
May 20, 2003
17,076
523
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.
Wrong forum, try here:
http://forum.configserver.com/showthread.php?t=2059