Recently my apache server has been getting a lot of requests for files that don't exist. Just people scanning to see if there are unprotected administration files on my server I guessed.
That is to be expected when you run publicly accessable Internet-facing servers.
Please check if your box and services are up to date and properly hardened.
But last night the apache server restarted and the log files showed some strange requests:
Just a vulnerability scanner called "DFind". It's not related to SANS ISC.
I don't see how the SIGTERM, nearly five minutes later, is related.
You could test if it's reproducable by running the tool yourself if you're comfortable with that.
however when i do crontab -e as nobody the file is empty.
Good.
Do I have to worry about this? I've shut down my apache server for now.
With respect to services: not if you (and, not or): run up to date software, have configured services well and not run them as privileged (root) user, don't run vulnerable services or allow access to what's basically "development" stuff like for instance XAMPP, have good logging and auditing facilities. For more information have a look at the
LQ FAQ: Security references, esp. post #6: "Securing networked services".
With respect to the crontab (Chkrootkit-0.47):
Code:
chk_crontab () {
STATUS=${NOT_INFECTED}
CRONTAB_I_L="crontab.*666"
CMD=`loc crontab crontab $pth`
if [ ! -r ${CMD} ]
then
return ${NOT_FOUND}
fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${CMD} -l -u nobody"
return 5
fi
if ${CMD} -l -u nobody >/dev/null 2>&1 ; then
printn "Warning: crontab for nobody found, possible Lupper.Worm... "
if ${CMD} -l -u nobody 2>/dev/null | ${egrep} $CRONTAB_I_L >/dev/null 2>&1
then
STATUS=${INFECTED}
fi
fi
return ${STATUS}
}
You see, as long as the crontabs contents don't contain a string starting with "crontab" and ending with "666" Chkrootkit will not flag it as infected. * This also shows a flaw in any string-based scans. If the string would end in say 667 or any other value there would never be any flag raised. IMNSHO it is *crucial* to set up access rights (for cron that's /etc/cron.{deny,allow}) and have good auditing capabilities like installing, configuring and running Tiger and a file integrity scanner like Aide, Samhain or even tripwire right after O.S. install.