[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] httpd running but no web except Cobalt GUI
- Subject: [cobalt-users] httpd running but no web except Cobalt GUI
- From: "Gilles Dumangin" <gilles_dumangin@xxxxxxxxxxx>
- Date: Sun Apr 22 19:57:13 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hi everybody,
I am unsure if I have been hacked. It is a long message but please bear with
me as I am unsure what to do
I rebooted my server this morning and since then I have no web services. the
Cobalt GUI is working fine and tells me that the web server is down.
I tried a "netstat" -lnp and I have the following:
tcp 0 0 0.0.0.0:7937 0.0.0.0:* LISTEN
568/nsrexecd
tcp 0 0 0.0.0.0:7938 0.0.0.0:* LISTEN
566/nsrexecd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
490/sendmail: accep
tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN
380/httpd
tcp 0 0 0.0.0.0:444 0.0.0.0:* LISTEN
380/httpd
tcp 0 0 0.0.0.0:617 0.0.0.0:* LISTEN
370/nlservd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
361/sshd
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
355/inetd
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
355/inetd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
355/inetd
udp 0 0 0.0.0.0:7938 0.0.0.0:*
566/nsrexecd
7 608/portsentry
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
606/portsentry
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
-
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
-
I am not worried about 7937 and 38 as they are ARKEAI backup, but I have not
port 80 and 443 running, which means that of course I cannot access my
virtual sites. Now as I have portsentry set up, everytime somebody access my
machine through port 80 (via a web browser), my RAQ3 blocks them and send
them to the hosts.deny file (I have been locked myself several time).
However, when I run /etc/rc.d/init.d/httpd status it tells me "httpd (pid
8319 380) is running..." which to me means that apache is up and running,
but still no web access.
I did a chkrootkit and I had this that I did not have before:
Checking `z2'... Not Tested: can't exec ./chklastlog
Checking `wted'... Not Tested: can't exec ./chkwtmp
Checking `sniffer'... Not Tested: can't exec ./ifpromisc
Checking `lkm'... Not Tested: can't exec ./chkproc
Now this looks to me like I have been hacked as ot seems to refuse access to
some of the things that are nescessary for the system to work.
I was hacked a few months ago and I spent a lot of time securing the machine
and closed all the ports unecessary and installed all the patches when
available. Last time, after I realised I was hacked, I did a mistake in
rebooting the machine and then telnet was down with no way to access the
machine again. I had to collect it from my ISP and bring back (at a cost of
USD 750). So I am hesitant to reboot the machine again.
I have checked the archives (again and again) and can't see any problems on
this nature.
Would anybody know what is happening to the machine. I would really
appreciate any help.
Gilles
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.