Apache security issue
Posted: 2018/07/31 06:05:00
Hi There,
I've noticed a few oddities on a webserver I'm hosting for a few customers but tracking the actual security hole seems allot more challenging then originally anticipated.
So I've started noticing these entries when running netstat.. Unfortunately I didn't gather enough data before restarting Apache. I'll get more data next time but thought to post what I have.
So this seemed suspicious since there's no reason for my webserver to connect outside to port 80. Any idea how this is done ?
tcp 0 1 x.x.x.x:41782 91.191.19.205:80 SYN_SENT
tcp 0 1 x.x.x.x:41780 91.191.19.205:80 SYN_SENT
tcp 0 1 x.x.x.x:41778 91.191.19.205:80 SYN_SENT
tcp 0 1 x.x.x.x:41768 91.191.19.205:80 SYN_SENT
lsof -Pwlni |grep 91.191.19.205
/usr/bin/ 10296 48 3u IPv4 15447859 0t0 TCP x.x.x.x:45286->91.191.19.205:80 (SYN_SENT)
PID 10296 were referring to a non existing process (/usr/bin/atd) : Sorry , I lost the lsof data for this specific process
I've also noticed a few other processes running under the apache username (syslogd, apache2) which he somehow installed under the shared memory folder (/dev/shm/.mine)
[root@eu-hosting1 shm]# pwd
/dev/shm
[root@eu-hosting1 shm]# ls -la
total 0
drwxrwxrwt 3 root root 60 Jul 31 08:02 .
drwxr-xr-x 18 root root 2780 Jul 13 18:05 ..
drwxr-xr-x 2 apache apache 280 Jun 16 23:35 .mine
[root@eu-hosting1 .mine]# ls -la
total 3620
drwxr-xr-x 2 apache apache 280 Jun 16 23:35 .
drwxrwxrwt 3 root root 60 Jul 31 08:02 ..
-rwxr-xr-x 1 apache apache 303 Jun 4 19:14 a
-rwxr-xr-x 1 apache apache 1476 Jul 25 22:35 apache2
-rw-r--r-- 1 apache apache 6 Jul 30 21:12 bash.pid
-rw-r--r-- 1 apache apache 45 Jul 30 21:12 cron.d
-rw-r--r-- 1 apache apache 15 Jul 30 21:12 dir.dir
-rwxr-xr-x 1 apache apache 15125 Feb 20 2016 e
-rwxr-xr-x 1 apache apache 838583 Feb 20 2016 f
-rwxr-xr-x 1 apache apache 281 Jun 10 00:30 r
-rwxr-xr-x 1 apache apache 1687632 May 6 16:28 syslogd
-rwxr-xr-x 1 apache apache 1125152 Jun 9 16:43 systemd
-rwxr--r-- 1 apache apache 176 Jul 30 21:12 upd
-rwxr-xr-x 1 apache apache 24 Oct 4 2017 x
Any help or pointer will be highly appreciated.
Thanks in advance,
I've noticed a few oddities on a webserver I'm hosting for a few customers but tracking the actual security hole seems allot more challenging then originally anticipated.
So I've started noticing these entries when running netstat.. Unfortunately I didn't gather enough data before restarting Apache. I'll get more data next time but thought to post what I have.
So this seemed suspicious since there's no reason for my webserver to connect outside to port 80. Any idea how this is done ?
tcp 0 1 x.x.x.x:41782 91.191.19.205:80 SYN_SENT
tcp 0 1 x.x.x.x:41780 91.191.19.205:80 SYN_SENT
tcp 0 1 x.x.x.x:41778 91.191.19.205:80 SYN_SENT
tcp 0 1 x.x.x.x:41768 91.191.19.205:80 SYN_SENT
lsof -Pwlni |grep 91.191.19.205
/usr/bin/ 10296 48 3u IPv4 15447859 0t0 TCP x.x.x.x:45286->91.191.19.205:80 (SYN_SENT)
PID 10296 were referring to a non existing process (/usr/bin/atd) : Sorry , I lost the lsof data for this specific process
I've also noticed a few other processes running under the apache username (syslogd, apache2) which he somehow installed under the shared memory folder (/dev/shm/.mine)
[root@eu-hosting1 shm]# pwd
/dev/shm
[root@eu-hosting1 shm]# ls -la
total 0
drwxrwxrwt 3 root root 60 Jul 31 08:02 .
drwxr-xr-x 18 root root 2780 Jul 13 18:05 ..
drwxr-xr-x 2 apache apache 280 Jun 16 23:35 .mine
[root@eu-hosting1 .mine]# ls -la
total 3620
drwxr-xr-x 2 apache apache 280 Jun 16 23:35 .
drwxrwxrwt 3 root root 60 Jul 31 08:02 ..
-rwxr-xr-x 1 apache apache 303 Jun 4 19:14 a
-rwxr-xr-x 1 apache apache 1476 Jul 25 22:35 apache2
-rw-r--r-- 1 apache apache 6 Jul 30 21:12 bash.pid
-rw-r--r-- 1 apache apache 45 Jul 30 21:12 cron.d
-rw-r--r-- 1 apache apache 15 Jul 30 21:12 dir.dir
-rwxr-xr-x 1 apache apache 15125 Feb 20 2016 e
-rwxr-xr-x 1 apache apache 838583 Feb 20 2016 f
-rwxr-xr-x 1 apache apache 281 Jun 10 00:30 r
-rwxr-xr-x 1 apache apache 1687632 May 6 16:28 syslogd
-rwxr-xr-x 1 apache apache 1125152 Jun 9 16:43 systemd
-rwxr--r-- 1 apache apache 176 Jul 30 21:12 upd
-rwxr-xr-x 1 apache apache 24 Oct 4 2017 x
Any help or pointer will be highly appreciated.
Thanks in advance,