#1  
Old 6th August 2010, 13:07
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 287
Thanks: 82
Thanked 8 Times in 7 Posts
Question Chkrootkit check

Hello!

After check on rootkit with chkrootkit have this log:
Code:
Checking `bindshell'...                                     INFECTED (PORTS:  1524 6667 31337)
On my main router firewall this ports are closed.
What does at mean this log?

Thnks!
Reply With Quote
Sponsored Links
  #2  
Old 7th August 2010, 14:22
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Please install rkhunter and see what it says. Maybe there's really a rootkit on your server.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 9th August 2010, 14:25
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 287
Thanks: 82
Thanked 8 Times in 7 Posts
Default

rkhunter --check

Code:
Rootkit checks...
    Rootkits checked : 245
    Possible rootkits: 0
Reply With Quote
  #4  
Old 10th August 2010, 17:13
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Hm, not sure what to make of this. Maybe there's malware installed, maybe not... If you want to go sure, you should set up the server again. If that's too much hassle, you should check if your server is behaving as it should.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 11th August 2010, 09:22
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 287
Thanks: 82
Thanked 8 Times in 7 Posts
Default

I have ISPConfig2 on this server. With web, mail, dns and ftp servers.
Reinstall this server is impossible. It is very big work. And this server work day/night.
can I check malware with another programm?
Reply With Quote
  #6  
Old 12th August 2010, 13:43
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

I understand. If I were you, I'd keep an eye on the server to see if it behaves in a strange way or not.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 12th August 2010, 14:07
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 287
Thanks: 82
Thanked 8 Times in 7 Posts
Exclamation

I check server every day.
And in some times I have one problem my apache go down.
In htop I see that apache have ~450 tasks, and after that hi go down and I cant open any site on my server. Ater restart apache all work ok. But still some times its repeated.

What is it? Can you help me?
Big thnks!

P.S.
What this log does it means?

Code:
Aug 12 14:16:22 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web24
Aug 12 14:16:25 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web24
Aug 12 14:16:43 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web64
Aug 12 14:16:47 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web34
Aug 12 14:17:01 itex CRON[3278]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 12 14:17:01 itex CRON[3278]: pam_unix(cron:session): session closed for user root
Aug 12 14:17:05 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web73
Aug 12 14:17:10 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web19
Aug 12 14:17:25 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web40
Aug 12 14:17:30 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web23
Aug 12 14:17:35 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web75
Aug 12 14:17:40 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web30
Aug 12 14:17:46 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web24
Aug 12 14:17:46 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web24
Aug 12 14:17:52 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web66
Aug 12 14:17:56 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web52
Aug 12 14:18:00 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web74
Aug 12 14:18:03 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web35
Aug 12 14:18:15 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web39
in apache error.log:

Code:
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php5/20090626+lfs/mhash.so' - /usr/lib/php5/20090626+lfs/mhash.so: cannot open shared object file: No s$
[Thu Aug 12 13:59:30 2010] [notice] mod_python: Creating 8 session mutexes based on 250 max processes and 0 max threads.
[Thu Aug 12 13:59:30 2010] [notice] mod_python: using mutex_directory /tmp
[Thu Aug 12 13:59:31 2010] [notice] Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5 mod_ruby/1.2.6 Ruby/1.8.7(2010-01-10) mod_$
[Thu Aug 12 14:04:47 2010] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Thu Aug 12 14:14:04 2010] [notice] caught SIGTERM, shutting down
[Thu Aug 12 14:14:05 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
PHP Deprecated:  Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/idn.ini on line 1 in Unknown on line 0
PHP Deprecated:  Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/imagick.ini on line 1 in Unknown on line 0
PHP Deprecated:  Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/imap.ini on line 1 in Unknown on line 0
PHP Deprecated:  Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/mcrypt.ini on line 1 in Unknown on line 0
PHP Deprecated:  Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/mhash.ini on line 1 in Unknown on line 0
PHP Deprecated:  Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/ming.ini on line 1 in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php5/20090626+lfs/mhash.so' - /usr/lib/php5/20090626+lfs/mhash.so: cannot open shared object file: No s$
[Thu Aug 12 14:14:05 2010] [notice] mod_python: Creating 8 session mutexes based on 250 max processes and 0 max threads.
[Thu Aug 12 14:14:05 2010] [notice] mod_python: using mutex_directory /tmp
[Thu Aug 12 14:14:05 2010] [notice] Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5 mod_ruby/1.2.6 Ruby/1.8.7(2010-01-10) mod_$

Last edited by Captain; 12th August 2010 at 14:24.
Reply With Quote
  #8  
Old 13th August 2010, 16:28
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Please try to optimize Apache:
http://www.howtoforge.com/configurin...um_performance

Also, you should install monit - it will start Apache again if it goes down: http://www.howtoforge.com/server-mon...ebian-lenny-p2
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
Captain (13th August 2010)
  #9  
Old 23rd August 2010, 12:23
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 287
Thanks: 82
Thanked 8 Times in 7 Posts
 
Question

Thnks! With monit now all works good.

But I have this log message from monit:
Code:
PID changed Service postfix 

	Date:        Sun, 22 Aug 2010 23:59:53 +0300
	Action:      alert
	Host:        srv.domen.com
	Description: process PID changed to 19903

Your faithful employee,
monit
What does it mean?

Thnks!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Monit & Munin SamTzu HOWTO-Related Questions 2 23rd September 2014 23:20
monitrc configuration for Debian ISPConfig 3 server Hans Tips/Tricks/Mods 2 28th March 2011 00:22
Vhosts...conf not synced to changes crypted General 50 24th April 2010 01:54
Forbidden 403; Samba access; config of maildeamon fawkes Installation/Configuration 4 14th January 2010 19:16
ISP Config not working in mandriva 2008 bigdavid889 Server Operation 8 28th February 2008 21:05


All times are GMT +2. The time now is 00:28.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.