ubuntu-users@lists.ubuntu.com
[Top] [All Lists]

Re: compromised apache2?

Subject: Re: compromised apache2?
From: "Yuelin Li"
Date: Tue, 25 Dec 2007 20:36:43 -0500
Found a solution.  It appears to be a denial of service attack.
See http://ubuntu-help.info/

Yuelin.


-- Yuelin Li wrote --|Tue (Dec/25/2007)[06:02]|--:
   I have noticed unexpected tcp connections whenever I start
   /etc/init.d/apache2 (see netsstat output below).  These connections
   appear in a couple of minutes, first the top two entries, then four
   and stay at four.  I am not running any other web-related utilities,
   no firefox.  I can't explain why I see them. These connections go away
   almost immediately when I stop apache2. 
   
   My questions are: 1) is my apache2 installation compromised?  and 2)
   if so, how should I remediate it?  Many thanks in advance,
   
   Yuelin.
   
   % netstat -atu
   Active Internet connections (servers and established)
   Proto Recv-Q Send-Q Local Address           Foreign Address         State    
  
   tcp        0      0 *:www                   *:*                     LISTEN   
  
   tcp        0      0 sky.local:www           91-110-14-210.server:96 SYN_RECV 
  
   tcp        0      0 sky.local:www           91-110-14-210.serve:www SYN_RECV 
  
   tcp        0      0 sky.local:www           91-110-14-210.serve:216 SYN_RECV 
  
   tcp        0      0 sky.local:www           91-110-14-210.serve:236 SYN_RECV 
  
   tcp        0      0 localhost:ipp           *:*                     LISTEN   
  
   tcp6       0      0 *:ssh                   *:*                     LISTEN   
  
   
    
        =====================================================================
        
        Please note that this e-mail and any files transmitted with it may be 
        privileged, confidential, and protected from disclosure under 
        applicable law. If the reader of this message is not the intended 
        recipient, or an employee or agent responsible for delivering this 
        message to the intended recipient, you are hereby notified that any 
        reading, dissemination, distribution, copying, or other use of this 
        communication or any of its attachments is strictly prohibited.  If 
        you have received this communication in error, please notify the 
        sender immediately by replying to this message and deleting this 
        message, any attachments, and all copies and backups from your 
        computer.
   
   
   -- 
   ubuntu-users mailing list
   ubuntu-users@xxxxxxxxxxxxxxxx
   Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
   


-- 
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

<Prev in Thread] Current Thread [Next in Thread>