Re: apache / exe process taking 99 % cpu

[Marcin Owsiany <porridge@debian.org>]

On Wed, Sep 01, 2004 at 12:25:19AM +0200, Timo Veith wrote:
> On Tuesday 31 August 2004 03:24, Marcin Owsiany wrote:
> > On Tue, Aug 31, 2004 at 12:59:48AM +0200, Timo Veith wrote:
> > > On Monday 30 August 2004 21:06, Marcin Owsiany wrote:
> > > I added a iptables rule to the OUTPUT chain dropping all tcp packets 
> to
> > > that box:port and guess what? My server was back idle again. No more 
> 99 %
> > > cpu usage and the process now sits there.
> >
> > Seems like the process is a DoS zombie. Probably it opened as many
> > connections to that machine, as possible, and that caused the heavy CPU
> > utilization.
> 
> Hmm, there wasn't much network traffic, at least not significantly more 
> than some other time.

A DoS does not necessarily mean a lot of traffic byte-wise. Remember
that it only takes 2 packets sent and one received to initiate a TCP
connection. And creating a huge number of connections certainly can be
considered a DoS.

But anyway.. who knows... maybe it was a broken worm or something..

> There's more interessting news:
> As I stopped apache, the other apache proc immediately took port 443 and 
> listened on it. A little while later also port 80 was in use. I connected 
> to both of them with a browser and with telnet but there was no response.
> 
> This fact made me think, that someone really hacked me, because port 80 
> and 443 can only be opened with root permissions.

Had the apache you shut down been listening on port 443?

I suspect there is an exploit which somehow "infects" an apache process
(probably by exploiting some PHP memory management bug) and takes over
the port when apache shuts down. I say so because I have seen such
situations two times myself, and there also was no other sign of the
attacker gaining root access.

Marcin
-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216