Absurz wegen dieser Attacke

Peter Schwering · Oct 19, 2005

[client 81.214.130.74] script '/srv/www/htdocs/confixx/html/attackDoS.php' not found or unable to stat

Diesen fehler fand ich in der confixx error log als der Server Abstürtzte

Kann mir einer bitte weiterhelfen wie ich dies verhindern kann

server4downs · Oct 19, 2005

Na, wenn sich sonst niemand traut, will ich mal antworten.

Wie heißt es immer noch so schön? "Fakten, Fakten, Fakten"...
Im Serverbetrieb heißt es dann eben "Logs, Logs, Logs"

Worauf ich hinaus will:
Ich gehe nicht davon aus, dass du im Ernst denkst, dass wir dir mit dieser einen Fehlermeldung dein Problem lösen können.
Klar ist (wenn man logisch denkt), dass es sich hierbei ziemlich sicher um einen Serverhack handelt, der dir wahrscheinlich irgendwelche Files ins Confixx-Dir kopiert hat.
Wir können an dieser Stelle jedoch auch nur mutmaßen.
Wir, bzw. Ich brauche deutlich mehr Informationen.
Was ich unter Informationen verstehe:
- ausführliche Logs (natürlich nur Nützliches... aber dann eventuell auch System-Logs)
- Systemangaben (OS, Apache-Version, PHP-Version etc)...

"... als der Server abstürzte" ... Hierbei sollten die Worte "Server" und "abstürzen" eventuell noch erläutert werden.
Server - gesamter Server? Apache-Webserver?
abstürzen - um was für einen Absturz handelt es sich hierbei?

Ich würde mich freuen, wenn mein Posting dich angeregt hat ein bischen tippfreudiger zu werden, denn jedem jede Kleinigkeit aus der Nase zu ziehen ist dann doch sehr anstrengend und bringt nur schleppend vorwärts.

Peter Schwering · Oct 19, 2005

Also dann sende ich auch mal meine Apache errorlog

Code:

[Wed Oct 19 15:50:12 2005] [warn] child process 876 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 879 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 30164 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 29687 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 883 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 890 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 893 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 772 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 775 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 901 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 601 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 490 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 32230 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 905 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 32602 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 946 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 948 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 951 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 621 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 952 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 953 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 954 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 624 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 955 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 956 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:12 2005] [warn] child process 961 still did not exit, sending a SIGTERM
[Wed Oct 19 15:50:13 2005] [notice] caught SIGTERM, shutting down
[Wed Oct 19 15:51:52 2005] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Oct 19 15:51:52 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Wed Oct 19 15:51:54 2005] [notice] Apache/2.0.50 (Linux/SUSE) configured -- resuming normal operations
[Wed Oct 19 15:53:22 2005] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Oct 19 15:53:23 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Wed Oct 19 15:53:25 2005] [notice] Apache/2.0.50 (Linux/SUSE) configured -- resuming normal operations

[Wed Oct 19 22:29:45 2005] [warn] child process 8386 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9258 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9376 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9198 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9340 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9138 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9140 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 7989 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9288 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9038 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9294 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9200 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9201 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9203 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9382 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9154 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9155 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9385 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 7285 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9205 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9392 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9312 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 7288 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9212 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9314 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9342 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 9343 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 7550 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 8962 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [warn] child process 8969 still did not exit, sending a SIGTERM
[Wed Oct 19 22:29:45 2005] [notice] caught SIGTERM, shutting down
[Wed Oct 19 22:29:46 2005] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Oct 19 22:29:46 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Wed Oct 19 22:55:55 2005] [warn] child process 11904 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11905 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11906 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11969 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11971 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11988 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11973 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11994 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11915 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11916 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11975 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11976 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11977 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11920 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11978 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11924 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 12019 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 12020 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 12055 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 12056 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 12057 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 12058 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11082 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11931 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11933 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11934 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11937 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11938 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11222 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11230 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11127 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [warn] child process 11270 still did not exit, sending a SIGTERM
[Wed Oct 19 22:55:55 2005] [notice] caught SIGTERM, shutting down
[Wed Oct 19 22:55:56 2005] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Oct 19 22:55:56 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Wed Oct 19 22:55:58 2005] [notice] Apache/2.0.50 (Linux/SUSE) configured -- resuming normal operations

[Wed Oct 19 23:06:18 2005] [warn] child process 12711 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12950 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12953 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12371 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 13002 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 13029 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 13034 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12092 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 13020 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12101 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 13068 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12720 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12109 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12722 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 13071 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 13021 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12911 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12117 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 13083 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12912 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 13087 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12731 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12128 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12733 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12140 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12735 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12644 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12646 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12795 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12656 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:18 2005] [warn] child process 12256 still did not exit, sending a SIGTERM
[Wed Oct 19 23:06:19 2005] [notice] caught SIGTERM, shutting down
[Wed Oct 19 23:06:19 2005] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Oct 19 23:06:19 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Wed Oct 19 23:06:20 2005] [notice] Apache configured -- resuming normal operations

Also nachedem meine seiten nicht mehr erreichbar sind muss ich den ganzen server neu starten damit ich wieder zugriff hab

Wenn sie andere log dateien wünschen kann ich die hier auch gerne veröffentlichen

bishbind · Oct 29, 2005

Hallo,

ich bin ebenfalls der Meinung, dass dein Server gehackt und verschiedene Dateien darauf abgelegt wurden. Interessant ist hierbei in meinen Augen die Datei "attackDoS.php". Und bitte was verstehst du unter einem Server-Absturz (der gesamte Server oder nur einzelne Dienste)? Erzähl eventuell eine Geschichte wie es zu dem Problem kam, bzw. versuch das Problem noch einmal zu replizieren. Dadurch kann das Problem besser eingegrenzt werden.

Außerdem wären noch Antworten auf folgende Fragen interessant:

Welches Betriebssystem inkl. Version?
Welche Apache-Version?
Welche PHP-Version?
usw.

Und wie server4downs schon gesagt hat, je mehr Informationen zu uns am Anfang gibst, desto schneller kann dir bei deinem Problem geholfen werden. Drei Zeichen mehr einzutippen ist also auch in deinem Interesse.

Grüße
Christian

Absurz wegen dieser Attacke

Peter Schwering

Registered User

server4downs

Guest

Peter Schwering

Registered User

bishbind

Registered User

We value your privacy