Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
03-05-2006, 08:34 PM
|
#1
|
|
Member
Registered: Feb 2006
Distribution: Slackware 10.2, (2.6.16.16), FC 5
Posts: 109
Rep: 
|
Apache log question regarding security
Last week I noticed that I had some brute force attempts on ssh, none of which were successful as far as I can tell. Today, I noticed the following in my Apache error log:
Quote:
[Sun Mar 05 04:02:06 2006] [notice] Digest: generating secret for digest authentication ...
[Sun Mar 05 04:02:06 2006] [notice] Digest: done
[Sun Mar 05 04:02:06 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sun Mar 05 04:02:06 2006] [notice] LDAP: SSL support unavailable
[Sun Mar 05 04:02:07 2006] [notice] Apache/2.0.47 (Fedora) configured -- resuming normal operations
script not found or unable to stat
script not found or unable to stat
[Sun Mar 05 07:49:31 2006] [error] [client 216.63.146.236] File does not exist: /var/www/html/mambo
[Sun Mar 05 07:49:32 2006] [error] [client 216.63.146.236] File does not exist: /var/www/html/cvs
script not found or unable to stat
[Sun Mar 05 07:49:34 2006] [error] [client 216.63.146.236] File does not exist: /var/www/html/drupal
[Sun Mar 05 07:49:35 2006] [error] [client 216.63.146.236] File does not exist: /var/www/html/phpgroupware
[Sun Mar 05 07:49:37 2006] [error] [client 216.63.146.236] File does not exist: /var/www/html/wordpress
script not found or unable to stat
script not found or unable to stat
[Sun Mar 05 12:27:20 2006] [error] [client 202.125.44.182] File does not exist: /var/www/html/mambo
[Sun Mar 05 12:27:22 2006] [error] [client 202.125.44.182] File does not exist: /var/www/html/cvs
[Sun Mar 05 12:27:23 2006] [error] [client 202.125.44.182] File does not exist: /var/www/html/articles
[Sun Mar 05 12:27:24 2006] [error] [client 202.125.44.182] File does not exist: /var/www/html/cvs
script not found or unable to stat
[Sun Mar 05 12:27:28 2006] [error] [client 202.125.44.182] File does not exist: /var/www/html/blog
[Sun Mar 05 12:27:29 2006] [error] [client 202.125.44.182] File does not exist: /var/www/html/blog
[Sun Mar 05 12:27:30 2006] [error] [client 202.125.44.182] File does not exist: /var/www/html/blogs
[Sun Mar 05 12:27:31 2006] [error] [client 202.125.44.182] File does not exist: /var/www/html/drupal
[Sun Mar 05 12:27:33 2006] [error] [client 202.125.44.182] File does not exist: /var/www/html/phpgroupware
[Sun Mar 05 12:27:34 2006] [error] [client 202.125.44.182] File does not exist: /var/www/html/wordpress
script not found or unable to stat
[Sun Mar 05 12:27:36 2006] [error] [client 202.125.44.182] File does not exist: /var/www/html/xmlrpc
[Sun Mar 05 12:27:38 2006] [error] [client 202.125.44.182] File does not exist: /var/www/html/xmlsrv
[Sun Mar 05 14:04:31 2006] [warn] child process 8051 still did not exit, sending a SIGTERM
[Sun Mar 05 14:04:31 2006] [warn] child process 8052 still did not exit, sending a SIGTERM
[Sun Mar 05 14:04:31 2006] [warn] child process 8053 still did not exit, sending a SIGTERM
[Sun Mar 05 14:04:31 2006] [warn] child process 8054 still did not exit, sending a SIGTERM
[Sun Mar 05 14:04:31 2006] [warn] child process 8055 still did not exit, sending a SIGTERM
[Sun Mar 05 14:04:31 2006] [warn] child process 8056 still did not exit, sending a SIGTERM
[Sun Mar 05 14:04:31 2006] [warn] child process 8058 still did not exit, sending a SIGTERM
[Sun Mar 05 14:04:31 2006] [warn] child process 8059 still did not exit, sending a SIGTERM
[Sun Mar 05 14:04:31 2006] [warn] child process 8051 still did not exit, sending a SIGTERM
[Sun Mar 05 14:04:31 2006] [warn] child process 8052 still did not exit, sending a SIGTERM
[Sun Mar 05 14:04:31 2006] [warn] child process 8055 still did not exit, sending a SIGTERM
[Sun Mar 05 14:04:31 2006] [warn] child process 8056 still did not exit, sending a SIGTERM
[Sun Mar 05 14:04:31 2006] [warn] child process 8058 still did not exit, sending a SIGTERM
[Sun Mar 05 14:04:31 2006] [warn] child process 8059 still did not exit, sending a SIGTERM
[Sun Mar 05 14:04:32 2006] [notice] caught SIGTERM, shutting down
|
I'm fairly new to running my own personal Apache server, so I don't know if this means much or not, but the lines I'm questioning are the first two with "Digest", the one mentioning Apache being configured, and the last one mentioning "SIGTERM". I've only been running a basic place holder page in Apache and haven't made any config changes at all for weeks. The mention of something being configured this morning caught my attention. Are these normal, or something to be concerned about? |
|
|
|
|
03-06-2006, 04:44 PM
|
#2
|
|
Moderator
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,696
|
It doesn't look very good. It may cause your server to have very high load average. Something's preventing Apache threads from exitting when they should. It may be a script that's in an infinite loop etc. Hard to say having just the error log. Look into the normal log. Look at the requests (compare timestamps). Do you have only requests for static pages or maybe also scripts?
|
|
|
|
|
03-06-2006, 09:10 PM
|
#3
|
|
Member
Registered: Feb 2006
Distribution: Slackware 10.2, (2.6.16.16), FC 5
Posts: 109
Original Poster
Rep:
|
Here's the normal log for the same day:
Does this look like a system compromise, or just a problem with the way Apache is operating? |
|
|
|
|
03-07-2006, 05:11 PM
|
#4
|
|
Moderator
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,696
|
It looks like an attack. Unsuccessful, as it seems from the error log (files not found). Something has caused the processes to run, however. You may have a small number of request that didn't get 4xx errors. Look for them.
|
|
|
|
|
03-07-2006, 10:18 PM
|
#5
|
|
Member
Registered: Feb 2006
Distribution: Slackware 10.2, (2.6.16.16), FC 5
Posts: 109
Original Poster
Rep:
|
I don't see anything that got something other than a 404, other than 2 from my internal network.
I stopped the apache service as soon as I saw this the other day. Is it safe to restart it, or do I need some more investigating first?
|
|
|
|
|
03-08-2006, 04:54 PM
|
#6
|
|
Moderator
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,696
|
Before restarting, upgrade it (you may be one or two versions behind). Then run it, but look into the logs from time to time to see if there are anomalies.
|
|
|
|
|
03-08-2006, 09:53 PM
|
#7
|
|
Member
Registered: Feb 2006
Distribution: Slackware 10.2, (2.6.16.16), FC 5
Posts: 109
Original Poster
Rep:
|
Thanks for all of your suggestions.
|
|
|
|
All times are GMT -5. The time now is 02:34 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
"
