LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 03-07-2009, 09:12 PM   #1
srunni
LQ Newbie
 
Registered: Jun 2007
Posts: 24

Rep: Reputation: 15
Apache returns "SSH-2.0-OpenSSH_5.1" for many files


Hi,

I've been using Apache for a few years now, but I hadn't touched it for the past few months (though I have been running regular updates of everything through Portage). When I tried to use it a week or so back, I started getting the strangest error. Some Python CGI scripts wouldn't execute correctly and certain filetypes, such as CSS, would not be properly delivered by Apache. Instead, I get a plaintext page with
Code:
SSH-2.0-OpenSSH_5.1
when I try to execute some CGI or directly navigate to a CSS file. I'm running x86 Gentoo Linux (kernel 2.6.26-gentoo-r4) and Apache 2.2.10. Any ideas as to what's going on?

Thanks!

Last edited by srunni; 03-07-2009 at 09:14 PM.
 
Old 03-08-2009, 12:12 AM   #2
mesiol
Member
 
Registered: Nov 2008
Location: Lower Saxony, Germany
Distribution: CentOS, RHEL, Solaris 10, AIX, HP-UX
Posts: 731

Rep: Reputation: 137Reputation: 137
Hi,

there seems a openssh server tunneled via http running on your apache port. Recheck complete installation on your machine. Take the machine offline it seems to be compromised.

The line you get is the same as you do "telnet ssh_server_ip 22" it's the first line a ssh server will send to the client.
 
Old 03-08-2009, 11:54 AM   #3
srunni
LQ Newbie
 
Registered: Jun 2007
Posts: 24

Original Poster
Rep: Reputation: 15
I don't think that it's been compromised, as I run SSH on a non-standard port, have a hardened login process including disabling root login, and use random strings for passwords. Have there been any recent exploits?

However, I will be careful, and have taken it offline. I just checked processes for any other sshd's running, and there is just the one. Or is it likely it's been "hidden" or something?

I did a quick check of files on the server, and there doesn't seem to be anything suspicious.

Also, I tried connecting to SSH on the same port as the webserver, and nothing is showing up.

One thing though: I switched my router to pfSense a while back, and when configuring the firewall rules, I accidentally set up all connections to forward to all the ports. Could this have caused the problem?

Edit: I just tried connecting to the server through my LAN, and I'm still getting the message, so it's not pfSense's fault. You're probably right about it being compromised. I will do an OS reinstall. Are there any special precautions I should take for the reinstall?

Edit 2: I had pfSense applying that port forwarding rule to connections from the LAN as well, so it may be its fault after all. I'm rebooting the machine right now to see if I can kill that rogue SSHd if it's really there.

Edit 3: Disregard the stuff about pfSense. I wasn't looking at the right configuration page. I guess the firewall rules were set up correctly, but I just didn't know how to read them. I originally went to the port forwarding page and set up everything through there, and pfSense automatically set up firewall rules from that.

On another note, I just stopped SSH on my server, and then attempted to access the CGI again, and I'm still getting the string. Is there some way to find where this other SSH thing is running?

Final edit: PEBKAC

I'm developing some web software, and there was a mistake in my configure command that was causing this issue. Sorry for all the trouble :/


Thanks!

Last edited by srunni; 03-08-2009 at 02:02 PM.
 
Old 03-08-2009, 02:09 PM   #4
mesiol
Member
 
Registered: Nov 2008
Location: Lower Saxony, Germany
Distribution: CentOS, RHEL, Solaris 10, AIX, HP-UX
Posts: 731

Rep: Reputation: 137Reputation: 137
Hi,

first, if you are unsure about the state of your host, take it offline.

There are still different cracks available hiding processes by changing kernel memory at run time for example.

rpm based distributions allows verification of installed software by using
Code:
rpm -V PACKAGE_NAME
, i don't know if gentoo allows some thing.

Search your system for hidden directories and files (beginning with a dot), check your init scripts if there will be processes started you don't know about, check kernel modules loaded, are there some strange?

Easiest way is to backup data and reinstall. Mostly this will take less time than doing forensic research, and reinstallation will be easier.
 
Old 03-08-2009, 03:27 PM   #5
srunni
LQ Newbie
 
Registered: Jun 2007
Posts: 24

Original Poster
Rep: Reputation: 15
Thanks for the help, but I found the issue. As I said above, I'm developing some web software. I use non-standard ports for SSH and HTTP. The configure command for the software requires a specification of the webserver's URL. I have to put in the non-standard port for HTTP in the URL, but I accidentally put in the non-standard port for SSH. This caused the location of all files on the page (which is dynamically modified using autoconf), including the CSS and the CGI script location for the form on the page to use the SSH port, which was giving me the error. I fixed that and everything is OK now. Thanks again for all your help!
 
Old 03-08-2009, 04:02 PM   #6
mesiol
Member
 
Registered: Nov 2008
Location: Lower Saxony, Germany
Distribution: CentOS, RHEL, Solaris 10, AIX, HP-UX
Posts: 731

Rep: Reputation: 137Reputation: 137
Hi,

so all got to a happy end *g*
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache: Making sure text files remain "unknown" kenneho Linux - Server 2 03-04-2009 09:34 AM
Command "mail" returns "panic: temporary file seek" kenneho Linux - Software 5 12-23-2008 03:27 AM
Moved files => Apache: "You don't have permission to access / on this server." teek Linux - Server 1 12-31-2006 04:03 AM
Apache Alias Returns 404 or "Cannot find server or DNS Error" The00Dustin Linux - Software 3 02-14-2006 12:44 PM
"X-MS" cant open because "x-Multimedia System" cant access files at "smb&qu ponchy5 Linux - Networking 0 03-29-2004 11:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration