Hi all, I have a server whose apache2 process is generating lots of requests to http://gthfx.com/. That's it. Nothing seems to be sent, and it's always the same page. No cookies. No different URLs. Nothing. Eventually, the apache processes build up, and all the sites stop responding. Restarting apache resolves this, but, of course, the problem slowly builds up again.
I have no idea what this is. Unless this is a command and control waiting for instructions, this seems more like a runaway plugin than some deliberate attack. I cannot, however, seem to find anything that triggers this. I reinstalled apache and all related packages, greped the site name over etc, /var/log and where my sites are located. Even if I have been hacked, I need to understand how before I can handle this. If I just reinstall the server (both time consuming and expensive, as I need provision a temporary server to make a smooth transition), I'm still going to be open to the same attack vector unless I do something. It seems most likely that the attack (if that's what it was) was rendered through one of the sites. I should point out, however, that the apache server has no write access to any of the web sites it is serving. As such, I cannot see how such an attack can take place, even assuming it is an attack (unless the attacker got actual root, of course). What I'd really like to do is take such a process that I know is hanging on connection to the web site, and find out which request it thinks it is serving. Ideas? Shachar
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
