Apache webserver outage - need help with forensics

Marc M linuxr at gmail.com
Wed Apr 13 20:28:38 UTC 2005 

Bob, 

Run a chkrootkit utility and it will tell you a lot of info. It won't tell 
you everything but it may give you a higher level of confidence that it was 
not hacked, or of course give you areas of concern if it does find 
something. 

I agree, it looks suspicious at first glance. Some things look bad but 
aren't; for example it may come back and show a port open in the range of 
32-thousand-something (32769?) - can't remember the exact one but further 
googling revealed that Fedora leaves one in that area open. When I ran it 
recently I was concerned about some things being open but I was happy to see 
that other than a very few other standard well known ports open for good 
reason, Fedora was pretty darn secure. 

Chkrootkit will do a lot other than ports, however. Check out 
http://freshmeat.net/projects/chkrootkit/

Hope that helps some

Marc


On 4/13/05, Bob Brennan <rbrennan96 at gmail.com> wrote:
> 
> On 4/13/05, Kristina Clair <kclair at gmail.com> wrote:
> > On 4/13/05, Bob Brennan <rbrennan96 at gmail.com> wrote:
> > > On 4/13/05, Kristina Clair <kclair at gmail.com> wrote:
> > > > Did you do a traceroute or any other network diagnostic to make sure
> > > > that you were actually able to reach the server? It sounds like a
> > > > networking problem...
> > > >
> > > > Kristina
> > >
> > > Hi Kristina - FTP and mailserver (the only other 2 open services) were
> > > responding quickly and correctly throughout the outage - all running
> > > on the same machine.
> > >
> >
> > Hmmm. I was confused about this point:
> > * all access_log and error_log for all sites - showed 5 users using
> > the sites at the time but nothing unusual
> >
> > Did you mean that 5 users were using the sites right before it became
> > inaccessible, or that there were people actually using the site when
> > you couldn't reach it?
> 
> There were log entries on several of my virtual domains right up to
> the minute that the webserver became unresponsive - at least 5
> separate IP addresses at the time. I noticed the problem when
> Squirrelmail timed out on a refresh. There are no log entries on any
> of the sites for the next 20 minutes.
> 
> > Also, did you check all the domains that apache is configured to serve?
> 
> Yes I checked all domains, including the IP address itself. Even
> "telnet myserver.net <http://myserver.net> 80" would not connect. "telnet 
> myserver.net <http://myserver.net> 21"
> and 25 responded as expected.
> 
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050413/4bb0c4e1/attachment-0002.htm>

More information about the fedora-list mailing list