Hi,

I've been using Apache for a few years now, but I hadn't touched it for the past few months (though I have been running regular updates of everything through Portage). When I tried to use it a week or so back, I started getting the strangest error. Some Python CGI scripts wouldn't execute correctly and certain filetypes, such as CSS, would not be properly delivered by Apache. Instead, I get a plaintext page withwhen I try to execute some CGI or directly navigate to a CSS file. I'm running x86 Gentoo Linux (kernel 2.6.26-gentoo-r4) and Apache 2.2.10. Any ideas as to what's going on?

Thanks!

Hi,

there seems a openssh server tunneled via http running on your apache port. Recheck complete installation on your machine. Take the machine offline it seems to be compromised.

The line you get is the same as you do "telnet ssh_server_ip 22" it's the first line a ssh server will send to the client.

I don't think that it's been compromised, as I run SSH on a non-standard port, have a hardened login process including disabling root login, and use random strings for passwords. Have there been any recent exploits?

However, I will be careful, and have taken it offline. I just checked processes for any other sshd's running, and there is just the one. Or is it likely it's been "hidden" or something?

I did a quick check of files on the server, and there doesn't seem to be anything suspicious.

Also, I tried connecting to SSH on the same port as the webserver, and nothing is showing up.

One thing though: I switched my router to pfSense a while back, and when configuring the firewall rules, I accidentally set up all connections to forward to all the ports. Could this have caused the problem?

Edit: I just tried connecting to the server through my LAN, and I'm still getting the message, so it's not pfSense's fault. You're probably right about it being compromised. I will do an OS reinstall. Are there any special precautions I should take for the reinstall?

Edit 2: I had pfSense applying that port forwarding rule to connections from the LAN as well, so it may be its fault after all. I'm rebooting the machine right now to see if I can kill that rogue SSHd if it's really there.

Edit 3: Disregard the stuff about pfSense. I wasn't looking at the right configuration page. I guess the firewall rules were set up correctly, but I just didn't know how to read them. I originally went to the port forwarding page and set up everything through there, and pfSense automatically set up firewall rules from that.

On another note, I just stopped SSH on my server, and then attempted to access the CGI again, and I'm still getting the string. Is there some way to find where this other SSH thing is running?

Final edit: PEBKAC

I'm developing some web software, and there was a mistake in my configure command that was causing this issue. Sorry for all the trouble :/

Thanks!

Hi,

first, if you are unsure about the state of your host, take it offline.

There are still different cracks available hiding processes by changing kernel memory at run time for example.

rpm based distributions allows verification of installed software by using , i don't know if gentoo allows some thing.

Search your system for hidden directories and files (beginning with a dot), check your init scripts if there will be processes started you don't know about, check kernel modules loaded, are there some strange?

Easiest way is to backup data and reinstall. Mostly this will take less time than doing forensic research, and reinstallation will be easier.

Thanks for the help, but I found the issue. As I said above, I'm developing some web software. I use non-standard ports for SSH and HTTP. The configure command for the software requires a specification of the webserver's URL. I have to put in the non-standard port for HTTP in the URL, but I accidentally put in the non-standard port for SSH. This caused the location of all files on the page (which is dynamically modified using autoconf), including the CSS and the CGI script location for the form on the page to use the SSH port, which was giving me the error. I fixed that and everything is OK now. Thanks again for all your help!

Hi,

so all got to a happy end *g*