<html style="direction: ltr;">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<style type="text/css">body p { margin-bottom: 0.2cm; margin-top: 0pt; } </style>
</head>
<body style="direction: ltr;" bidimailui-charset-is-forced="true"
bgcolor="#FFFFFF" text="#000000">
Hi all,<br>
<br>
I have a server whose apache2 process is generating lots of requests
to <a class="moz-txt-link-freetext" href="http://gthfx.com/">http://gthfx.com/</a>. That's it. Nothing seems to be sent, and it's
always the same page. No cookies. No different URLs. Nothing.
Eventually, the apache processes build up, and all the sites stop
responding. Restarting apache resolves this, but, of course, the
problem slowly builds up again.<br>
<br>
I have no idea what this is. Unless this is a command and control
waiting for instructions, this seems more like a runaway plugin than
some deliberate attack. I cannot, however, seem to find anything
that triggers this. I reinstalled apache and all related packages,
greped the site name over etc, /var/log and where my sites are
located.<br>
<br>
Even if I have been hacked, I need to understand how before I can
handle this. If I just reinstall the server (both time consuming and
expensive, as I need provision a temporary server to make a smooth
transition), I'm still going to be open to the same attack vector
unless I do something.<br>
<br>
It seems most likely that the attack (if that's what it was) was
rendered through one of the sites. I should point out, however, that
the apache server has no write access to any of the web sites it is
serving. As such, I cannot see how such an attack can take place,
even assuming it is an attack (unless the attacker got actual root,
of course).<br>
<br>
What I'd really like to do is take such a process that I know is
hanging on connection to the web site, and find out which request it
thinks it is serving.<br>
<br>
Ideas?<br>
<br>
Shachar<br>
</body>
</html>