Angriff auf Webserver -> Apache down

Apache, Lighttpd, nginx, Cherokee
Post Reply
marquinhos
Posts: 53
Joined: 2004-01-12 17:55
Location: Fellbach
 

Angriff auf Webserver -> Apache down

Post by marquinhos »

Hallo Ihr,

Samstag früh hat wohl jemand meinen Webserver (Apache) lahmgelegt. Die Seiten waren nicht mehr zu errreichen. Habe den Rechner am Sonntag, 13.03. um 11:57 neu gestartet.

Kann mir jemand sagen, was man machen kann, oder was die unteren Log-File-Auswertungen bedeuten:

/var/log/apache2/error_log

Code: Select all

[Sat Mar 12 04:11:20 2005] [error] [client 66.249.64.55] File does not exist: /home/htdocs/web7/html/robots.txt
[Sat Mar 12 04:15:06 2005] [notice] caught SIGTERM, shutting down
[Sun Mar 13 11:57:18 2005] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Sun Mar 13 11:57:18 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Sun Mar 13 11:57:18 2005] [notice] Apache/2.0.49 (Linux/SuSE) configured -- resuming normal operations
[Sun Mar 13 11:57:51 2005] [error] [client 66.249.71.18] File does not exist: /home/htdocs/web7/html/robots.txt

var/log/message

Code: Select all

....

Mar 12 04:15:01 p15161259 /USR/SBIN/CRON[20707]: (root) CMD (/root/confixx/confixx_counterscript.pl && /root/bin/fix-confixx-spamd-chown-bug.sh) 
Mar 12 04:15:07 p15161259 startproc: startproc:  exit status of parent of /usr/sbin/httpd2-prefork: 1
Mar 12 04:15:07 p15161259 logrotate: ALERT exited abnormally with [1]
Mar 12 04:15:08 p15161259 su: (to nobody) root on none
Mar 12 04:15:08 p15161259 su: pam_unix2: session started for user nobody, service su 
Mar 12 04:15:17 p15161259 su: pam_unix2: session finished for user nobody, service su 
Mar 12 04:16:00 p15161259 /USR/SBIN/CRON[20899]: (root) CMD (/root/confixx/confixx_counterscript.pl && /root/bin/fix-confixx-spamd-chown-bug.sh) 

....

Mar 12 04:47:00 p15161259 /USR/SBIN/CRON[21240]: (root) CMD (/root/confixx/confixx_counterscript.pl && /root/bin/fix-confixx-spamd-chown-bug.sh) 
Mar 12 04:47:18 p15161259 sshd[21248]: Illegal user postgres from ::ffff:141.165.32.45
Mar 12 04:47:19 p15161259 sshd[21248]: error: Could not get shadow information for NOUSER
Mar 12 04:47:19 p15161259 sshd[21248]: Failed password for illegal user postgres from ::ffff:141.165.32.45 port 58746 ssh2
Mar 12 04:47:22 p15161259 sshd[21250]: Failed password for mysql from ::ffff:141.165.32.45 port 59367 ssh2
Mar 12 04:47:23 p15161259 sshd[21252]: Illegal user postgres from ::ffff:141.165.32.45
Mar 12 04:47:23 p15161259 sshd[21252]: error: Could not get shadow information for NOUSER
Mar 12 04:47:23 p15161259 sshd[21252]: Failed password for illegal user postgres from ::ffff:141.165.32.45 port 59721 ssh2
Mar 12 04:47:25 p15161259 sshd[21254]: Failed password for mysql from ::ffff:141.165.32.45 port 60020 ssh2
Mar 12 04:48:00 p15161259 /USR/SBIN/CRON[21258]: (root) CMD (/root/confixx/confixx_counterscript.pl && /root/bin/fix-confixx-spamd-chown-bug.sh) 

.....

Mar 12 05:45:00 p15161259 /USR/SBIN/CRON[21946]: (root) CMD (/root/confixx/confixx_counterscript.pl && /root/bin/fix-confixx-spamd-chown-bug.sh) 
Mar 12 05:45:32 p15161259 sshd[21969]: Illegal user postgres from ::ffff:141.165.32.45
Mar 12 05:45:32 p15161259 sshd[21969]: error: Could not get shadow information for NOUSER
Mar 12 05:45:32 p15161259 sshd[21969]: Failed password for illegal user postgres from ::ffff:141.165.32.45 port 47133 ssh2
Mar 12 05:45:34 p15161259 sshd[21971]: Failed password for mysql from ::ffff:141.165.32.45 port 47550 ssh2
Mar 12 05:45:36 p15161259 sshd[21973]: Illegal user postgres from ::ffff:141.165.32.45
Mar 12 05:45:36 p15161259 sshd[21973]: error: Could not get shadow information for NOUSER
Mar 12 05:45:36 p15161259 sshd[21973]: Failed password for illegal user postgres from ::ffff:141.165.32.45 port 47847 ssh2

.....

Mar 12 06:21:00 p15161259 /USR/SBIN/CRON[22400]: (root) CMD (/root/confixx/confixx_counterscript.pl && /root/bin/fix-confixx-spamd-chown-bug.sh) 
Mar 12 06:21:49 p15161259 sshd[22408]: Failed password for news from ::ffff:141.165.32.45 port 34907 ssh2
Mar 12 06:21:50 p15161259 sshd[22410]: Failed password for uucp from ::ffff:141.165.32.45 port 35785 ssh2
Mar 12 06:21:51 p15161259 sshd[22412]: Failed password for news from ::ffff:141.165.32.45 port 36072 ssh2
Mar 12 06:21:53 p15161259 sshd[22414]: Failed password for uucp from ::ffff:141.165.32.45 port 36258 ssh2
Mar 12 06:22:00 p15161259 /USR/SBIN/CRON[22417]: (root) CMD (/root/confixx/confixx_counterscript.pl && /root/bin/fix-confixx-spamd-chown-bug.sh)
Danke !

Gruss

Markus
Last edited by marquinhos on 2005-03-14 09:26, edited 1 time in total.
Top
chris76
Posts: 1878
Joined: 2003-06-27 14:37
Location: Germering
 

Re: Angriff auf Webserver -> Apache down

Post by chris76 »

Ich sehe keine Angriff auf den Apachen. Logrotate hatte einen Fehler und daher rennt Dein Apache nicht mehr.
Die einzigen "Angriffe" sind Loginversuche beim ssh.
Gruß Christian

BofH excuses: YOU HAVE AN I/O ERROR -> Incompetent Operator error
Top
marquinhos
Posts: 53
Joined: 2004-01-12 17:55
Location: Fellbach
 

Re: Angriff auf Webserver -> Apache down

Post by marquinhos »

Hey Chris;

was kann ich tun ?

Habt Ihr ein paar Tipps zu Logrotate ?

Warum ist der Fehler entstanden?

Habe dies gefunden:
http://www.linuxfibel.de/protocol.htm#logrotate

Danke.

Markus
Top
marquinhos
Posts: 53
Joined: 2004-01-12 17:55
Location: Fellbach
 

Re: Angriff auf Webserver -> Apache down

Post by marquinhos »

meine Logrotate.conf

Code: Select all

# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
compress

# uncomment these to switch compression to bzip2
#compresscmd /usr/bin/bzip2
#uncompresscmd /usr/bin/bunzip2

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp -- we'll rotate them here
#/var/log/wtmp {
#    monthly
#    create 0664 root utmp
#    rotate 1
#}

# system-specific logs may be also be configured here.
Top
chris76
Posts: 1878
Joined: 2003-06-27 14:37
Location: Germering
 

Re: Angriff auf Webserver -> Apache down

Post by chris76 »

in deinem /etc/logrotate.d gibt es eine Datei apache.
Dort reload mal gegen restart tauschen.
Gruß Christian

BofH excuses: YOU HAVE AN I/O ERROR -> Incompetent Operator error
Top
marquinhos
Posts: 53
Joined: 2004-01-12 17:55
Location: Fellbach
 

Re: Angriff auf Webserver -> Apache down

Post by marquinhos »

Ã?berall steht bereits restart in der Datei apache2 .... warum wurde dann nicht neu gestartet ???

Code: Select all

/var/log/apache2/access_log {
    compress
    dateext
    maxage 365
    rotate 99
    size=+4096k
    notifempty
    missingok
    create 644 root root
    postrotate
     /etc/init.d/apache2 restart
    endscript
}

/var/log/apache2/error_log {
    compress
    dateext
    maxage 365
    rotate 99
    size=+1024k
    notifempty
    missingok
    create 644 root root
    postrotate
     /etc/init.d/apache2 restart
    endscript
}

/var/log/apache2/suexec.log {
    compress
    dateext
    maxage 365
    rotate 99
    size=+1024k
    notifempty
    missingok
    create 644 root root
    postrotate
     /etc/init.d/apache2 restart
    endscript
}

/var/log/apache2/ssl_request_log {
    compress
    dateext
    maxage 365
    rotate 99
    size=+4096k
    notifempty
    missingok
    create 644 root root
    postrotate
     /etc/init.d/apache2 restart
    endscript
}

/var/log/apache2/ssl_engine_log {
    compress
    dateext
    maxage 365
    rotate 99
    size=+1024k
    notifempty
    missingok
    create 644 root root
    postrotate
     /etc/init.d/apache2 restart
    endscript
}
Top
chris76
Posts: 1878
Joined: 2003-06-27 14:37
Location: Germering
 

Re: Angriff auf Webserver -> Apache down

Post by chris76 »

Boardsuche: Apache AND logrotate
Gruß Christian

BofH excuses: YOU HAVE AN I/O ERROR -> Incompetent Operator error
Top
Post Reply

Return to “Webserver”