Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Ubuntu User (http://www.linux-archive.org/ubuntu-user/)
-   -   compromised apache2? (http://www.linux-archive.org/ubuntu-user/22881-compromised-apache2.html)

"Yuelin Li" 12-25-2007 10:02 PM
compromised apache2?
 
I have noticed unexpected tcp connections whenever I start
/etc/init.d/apache2 (see netsstat output below). These connections
appear in a couple of minutes, first the top two entries, then four
and stay at four. I am not running any other web-related utilities,
no firefox. I can't explain why I see them. These connections go away
almost immediately when I stop apache2.

My questions are: 1) is my apache2 installation compromised? and 2)
if so, how should I remediate it? Many thanks in advance,

Yuelin.

% netstat -atu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:www *:* LISTEN
tcp 0 0 sky.local:www 91-110-14-210.server:96 SYN_RECV
tcp 0 0 sky.local:www 91-110-14-210.serve:www SYN_RECV
tcp 0 0 sky.local:www 91-110-14-210.serve:216 SYN_RECV
tcp 0 0 sky.local:www 91-110-14-210.serve:236 SYN_RECV
tcp 0 0 localhost:ipp *:* LISTEN
tcp6 0 0 *:ssh *:* LISTEN


================================================== ===================

Please note that this e-mail and any files transmitted with it may be
privileged, confidential, and protected from disclosure under
applicable law. If the reader of this message is not the intended
recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that any
reading, dissemination, distribution, copying, or other use of this
communication or any of its attachments is strictly prohibited. If
you have received this communication in error, please notify the
sender immediately by replying to this message and deleting this
message, any attachments, and all copies and backups from your
computer.


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Derek Broughton 12-25-2007 10:35 PM
compromised apache2?
 
Yuelin Li wrote:

Ugh. Please don't send ugly, non-legal 13 page sigs. if you were using
a .com address, I'd say stop using your employer's email to send to lists,
but since it's .org, it's unlikely even to be required. That's just
calculated to annoy us.

> I have noticed unexpected tcp connections whenever I start
> /etc/init.d/apache2 (see netsstat output below). These connections
> appear in a couple of minutes, first the top two entries, then four
> and stay at four. I am not running any other web-related utilities,
> no firefox. I can't explain why I see them. These connections go away
> almost immediately when I stop apache2.
>
> My questions are: 1) is my apache2 installation compromised? and 2)
> if so, how should I remediate it? Many thanks in advance,

> % netstat -atu
# netstat -atun
would be nicer.

It seems unlikely - 91-110-14-210.server is not a valid Internet name, so
it's probably local to your lan.

I'm not quite sure which of these 7 entries you think are problematic, but
all the LISTEN sockets are normal:

> tcp 0 0 *:www *:* LISTEN

Apache server.

> tcp 0 0 localhost:ipp *:* LISTEN

Print server

> tcp6 0 0 *:ssh *:* LISTEN

ssh daemon.
--
derek


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

"Yuelin Li" 12-26-2007 12:36 AM
compromised apache2?
 
Found a solution. It appears to be a denial of service attack.
See http://ubuntu-help.info/

Yuelin.


-- Yuelin Li wrote --|Tue (Dec/25/2007)[06:02]|--:
I have noticed unexpected tcp connections whenever I start
/etc/init.d/apache2 (see netsstat output below). These connections
appear in a couple of minutes, first the top two entries, then four
and stay at four. I am not running any other web-related utilities,
no firefox. I can't explain why I see them. These connections go away
almost immediately when I stop apache2.

My questions are: 1) is my apache2 installation compromised? and 2)
if so, how should I remediate it? Many thanks in advance,

Yuelin.

% netstat -atu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:www *:* LISTEN
tcp 0 0 sky.local:www 91-110-14-210.server:96 SYN_RECV
tcp 0 0 sky.local:www 91-110-14-210.serve:www SYN_RECV
tcp 0 0 sky.local:www 91-110-14-210.serve:216 SYN_RECV
tcp 0 0 sky.local:www 91-110-14-210.serve:236 SYN_RECV
tcp 0 0 localhost:ipp *:* LISTEN
tcp6 0 0 *:ssh *:* LISTEN


================================================== ===================

Please note that this e-mail and any files transmitted with it may be
privileged, confidential, and protected from disclosure under
applicable law. If the reader of this message is not the intended
recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that any
reading, dissemination, distribution, copying, or other use of this
communication or any of its attachments is strictly prohibited. If
you have received this communication in error, please notify the
sender immediately by replying to this message and deleting this
message, any attachments, and all copies and backups from your
computer.


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users



--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users


All times are GMT. The time now is 11:51 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.