[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Apache webserver outage - need help with forensics



Bob,

Run a chkrootkit utility and it will tell you a lot of info.  It won't tell you everything but it may give you a higher level of confidence that it was not hacked, or of course give you areas of concern if it does find something.  

I agree, it looks suspicious at first glance.  Some things look bad but aren't; for example it may come back and show a port open in the range of 32-thousand-something (32769?) - can't remember the exact one but further googling revealed that Fedora leaves one in that area open.   When I ran it recently I was concerned about some things being open but I was happy to see that other than a very few other standard well known ports open for good reason, Fedora was pretty darn secure. 

Chkrootkit will do a lot other than ports, however.  Check out        http://freshmeat.net/projects/chkrootkit/

Hope that helps some

Marc


On 4/13/05, Bob Brennan <rbrennan96 gmail com> wrote:
On 4/13/05, Kristina Clair <kclair gmail com> wrote:
> On 4/13/05, Bob Brennan <rbrennan96 gmail com> wrote:
> > On 4/13/05, Kristina Clair < kclair gmail com> wrote:
> > > Did you do a traceroute or any other network diagnostic to make sure
> > > that you were actually able to reach the server?  It sounds like a
> > > networking problem...
> > >
> > > Kristina
> >
> > Hi Kristina - FTP and mailserver (the only other 2 open services) were
> > responding quickly and correctly throughout the outage - all running
> > on the same machine.
> >
>
> Hmmm.  I was confused about this point:
> * all access_log and error_log for all sites - showed 5 users using
> the sites at the time but nothing unusual
>
> Did you mean that 5 users were using the sites right before it became
> inaccessible, or that there were people actually using the site when
> you couldn't reach it?

There were log entries on several of my virtual domains right up to
the minute that the webserver became unresponsive - at least 5
separate IP addresses at the time. I noticed the problem when
Squirrelmail timed out on a refresh. There are no log entries on any
of the sites for the next 20 minutes.

> Also, did you check all the domains that apache is configured to serve?

Yes I checked all domains, including the IP address itself. Even
"telnet myserver.net 80" would not connect. "telnet myserver.net 21"
and 25 responded as expected.

--
fedora-list mailing list
fedora-list redhat com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]