On Wed, Sep 01, 2004 at 12:25:19AM +0200, Timo Veith wrote: > On Tuesday 31 August 2004 03:24, Marcin Owsiany wrote: > > On Tue, Aug 31, 2004 at 12:59:48AM +0200, Timo Veith wrote: > > > On Monday 30 August 2004 21:06, Marcin Owsiany wrote: > > > I added a iptables rule to the OUTPUT chain dropping all tcp packets > to > > > that box:port and guess what? My server was back idle again. No more > 99 % > > > cpu usage and the process now sits there. > > > > Seems like the process is a DoS zombie. Probably it opened as many > > connections to that machine, as possible, and that caused the heavy CPU > > utilization. > > Hmm, there wasn't much network traffic, at least not significantly more > than some other time.
A DoS does not necessarily mean a lot of traffic byte-wise. Remember that it only takes 2 packets sent and one received to initiate a TCP connection. And creating a huge number of connections certainly can be considered a DoS. But anyway.. who knows... maybe it was a broken worm or something.. > There's more interessting news: > As I stopped apache, the other apache proc immediately took port 443 and > listened on it. A little while later also port 80 was in use. I connected > to both of them with a browser and with telnet but there was no response. > > This fact made me think, that someone really hacked me, because port 80 > and 443 can only be opened with root permissions. Had the apache you shut down been listening on port 443? I suspect there is an exploit which somehow "infects" an apache process (probably by exploiting some PHP memory management bug) and takes over the port when apache shuts down. I say so because I have seen such situations two times myself, and there also was no other sign of the attacker gaining root access. Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
