Re: apache / exe process taking 99 % cpu
On Wed, Sep 01, 2004 at 12:25:19AM +0200, Timo Veith wrote:
> On Tuesday 31 August 2004 03:24, Marcin Owsiany wrote:
> > On Tue, Aug 31, 2004 at 12:59:48AM +0200, Timo Veith wrote:
> > > On Monday 30 August 2004 21:06, Marcin Owsiany wrote:
> > > I added a iptables rule to the OUTPUT chain dropping all tcp packets
> > > that box:port and guess what? My server was back idle again. No more
> 99 %
> > > cpu usage and the process now sits there.
> > Seems like the process is a DoS zombie. Probably it opened as many
> > connections to that machine, as possible, and that caused the heavy CPU
> > utilization.
> Hmm, there wasn't much network traffic, at least not significantly more
> than some other time.
A DoS does not necessarily mean a lot of traffic byte-wise. Remember
that it only takes 2 packets sent and one received to initiate a TCP
connection. And creating a huge number of connections certainly can be
considered a DoS.
But anyway.. who knows... maybe it was a broken worm or something..
> There's more interessting news:
> As I stopped apache, the other apache proc immediately took port 443 and
> listened on it. A little while later also port 80 was in use. I connected
> to both of them with a browser and with telnet but there was no response.
> This fact made me think, that someone really hacked me, because port 80
> and 443 can only be opened with root permissions.
Had the apache you shut down been listening on port 443?
I suspect there is an exploit which somehow "infects" an apache process
(probably by exploiting some PHP memory management bug) and takes over
the port when apache shuts down. I say so because I have seen such
situations two times myself, and there also was no other sign of the
attacker gaining root access.
Marcin Owsiany <email@example.com> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216