Apache hijacked!? - Help needed Urgently !!! - output.txt (0/1)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
We have been noticing some strange errors on two of our servers recently, such
as failure to mount floppy disks, failure to eject the cdrom
drive. at least these are the ones that caught our attention.  Nobody has
physical access to the server, and nobody that has root access has
tried to do either of the above. Somewhere along the line i found modprobe in
one of the error messages.

I made a wrapper for the modprobe command (in the attachement)

Randomly, (maybe once every other day) I actually get email from this script.
(also in the attachment)

I am extremely concerned about this because it appears that modprobe is being
run by the web server (as root none-the less)
I cannot think of anything that would rationalize apache running modprobe.

Any ideas on what my have caused this? (PS. The timing is not consistant, and I
don't see anything in cron that would do this)

and in a worst case scenario - If this is a real break-in, what can I do to
catch the user in the act.

Re: Apache hijacked!? - Help needed Urgently !!! - output.txt (0/1)

Crap..  Sorry about this double post.
I got an error message about the attachement, and thought the post didn't go

Site Timeline