I've been hacked, or not?

[Shachar Shemesh]

Hi all,

I have a server whose apache2 process is generating lots of requests to
http://gthfx.com/. That's it. Nothing seems to be sent, and it's always
the same page. No cookies. No different URLs. Nothing. Eventually, the
apache processes build up, and all the sites stop responding. Restarting
apache resolves this, but, of course, the problem slowly builds up again.

I have no idea what this is. Unless this is a command and control
waiting for instructions, this seems more like a runaway plugin than
some deliberate attack. I cannot, however, seem to find anything that
triggers this. I reinstalled apache and all related packages, greped the
site name over etc, /var/log and where my sites are located.

Even if I have been hacked, I need to understand how before I can handle
this. If I just reinstall the server (both time consuming and expensive,
as I need provision a temporary server to make a smooth transition), I'm
still going to be open to the same attack vector unless I do something.

It seems most likely that the attack (if that's what it was) was
rendered through one of the sites. I should point out, however, that the
apache server has no write access to any of the web sites it is serving.
As such, I cannot see how such an attack can take place, even assuming
it is an attack (unless the attacker got actual root, of course).

What I'd really like to do is take such a process that I know is hanging
on connection to the web site, and find out which request it thinks it
is serving.

Ideas?

Shachar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20150413/f7e434fd/attachment.html>