Hello,

I have a Centos 6 server that I use to host some websites, and few days ago some strange messages start appearing in my Apache error_log file (/var/log/httpd/error_log), and I don't know what they mean, and if it is something bad or normal.

The message is the following:

# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_.facebook.com TRUE / FALSE 1472112725 datr 3rvzVL_80MSwtcNW5K8WSoJ


It appears with a frequency of about once every hour.

So far I couldn't identify what website is generating these messages. I searched for some keywords inside websites logs but I found nothing relevant (if you know the right string to search inside logs please tell me). Moreover I would like to know where the file mentioned in the message is located.

Can anyone help me?

Thank you.

Roberto

Hi there,

this is definitely not an Apache message, and so (IMO) something that SHOULD NOT appear in Apache's error log. It looks like a fragment of a configuration file (curl?), but I'm curious as hell how this ends up in Apache's error log. Could an Apache module or CGI possibly be writing its own messages into the log file?

Regular error log messages start with a timestamp, followed by "[error]" or "[notice]"; rarely they begin with "apache2:" followed by a message in prose.

What file??

[X] Doc CPU

It's not unusual for me to see messages not beginning with [error] or [notice] inside Apache error log (i.e. curl), but I think it just depends on how Apache logging is configured.


The file mentioned in the message, which says "This file was generated by libcurl! Edit at your own risk."

Hi

If you use a CGI or a PHP script that uses exec or similar to run some shell script, any output to standard error (stderr) is sent to the Apache error log. It doesn't have to be PHP, any scripting languge that lets you run shell commands can do this.

I would grep for curl to find out what is causing it. The cookie file is used when you want to automate things. For example you can use curl to login to some site, and then store the session cookie in a file. Then you can use curl with the cookie file to get stuff that require login. And from the error messages it looks like it's facebook.

So, if you have some code that does a facebook login and does something with facebook, it's probably the cause. If you find out it's harmless, you can add "2>/dev/null" to the curl shell command and this doesn't show up in the error log.

Hi there,

just like that, without further tricks? I didn't know that, thanks.
Doesn't this imply that output from a PHP script (just as an example) that is explicitly written to stderr also ends up in Apache's error log?

I never bothered to try, but that would be the logical consequence ...

[X] Doc CPU

CentOS 6 what?
websites is plural, so are there any too permissive permissions on directories and files?
Directories on websites should be 755 and files should be 644 with the exception of cgi scripts.
Examine the /tmp directory closely.

I'd grab the exact date/time stamp from the apache log and document that somewhere for comparison. See http://www.cyberciti.biz/faq/unix-li...on-given-date/ for some comparison techniques against the timestamp on the apache log.

Check:
output from those please.

This suggests a cron job. How many users on the system?
Try as root to see crons for users of the system.
Examine files in etc/cron.* directories for curl commands.
I'd remove the curl package if you don't use it, or none of the sites use it.

Have a look at https://www.rfxn.com/projects/linux-malware-detect/ and
http://rkhunter.sourceforge.net/ and clamav

Hi again

I doubt it is cron, then it wouldn't be in the Apache error log.

Yes, it's easy to mess up the Apache error log that way. Try this:

It ends up in the error log, and becuase of no trailing newline, it looks like a prefix to the next error message.

Hi there,

there's hardly a day without learning something. :-)
Thank you for confirming the thought.

[X] Doc CPU