httpd stops and will not restart at midnight.

H

hagmund

New member
Joined
Mar 8, 2006
Messages
2
Hello! I have a problem with my CentOS 5 server with DA.
Two nights in a row my website dies (but i can reach ip:2222).

In the error log for apache i can see:

Code: 
[Tue Apr 14 23:45:49 2009] [error] [client 217.79.182.58] File does not exist: /var/www/html/rc
[Tue Apr 14 23:45:49 2009] [error] [client 217.79.182.58] File does not exist: /var/www/html/404.shtml
--23:45:49--  http://217.79.182.58/barbut
--23:45:49--  http://217.79.182.58/barbut
Connecting to 217.79.182.58:80... Connecting to 217.79.182.58:80... connected.
HTTP request sent, awaiting response... connected.
HTTP request sent, awaiting response... 200 OK
Length: 35336200 OK
Length: 35336 (35K) [text/plain]
 (35K) [text/plain]
Saving to: `barbut'
barbut has sprung into existence.
Retrying.


     0K .......... .......... .......... ....                 100%  889K=0.04s

23:45:49 (889 KB/s) - `barbut' saved [35336/35336]

--23:45:50--  (try: 2)  http://217.79.182.58/barbut
Connecting to 217.79.182.58:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 35336 (35K) [text/plain]
Saving to: `barbut'

     0K .......... .......... .......... ....                 100%  468K=0.07s

23:45:50 (468 KB/s) - `barbut' saved [35336/35336]

[Wed Apr 15 00:10:02 2009] [notice] SIGHUP received.  Attempting to restart
[Wed Apr 15 00:10:03 2009] [warn] module php5_module is already loaded, skipping
[Wed Apr 15 00:10:04 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Wed Apr 15 00:10:04 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Wed Apr 15 00:10:04 2009] [notice] Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8b DAV/2 PHP/5.2.5 configured -- resuming normal operations
[Wed Apr 15 00:11:01 2009] [notice] caught SIGTERM, shutting down

How do i prevent this from happening again?
Best regards, Hagmund
 
You have possibly been hacked. I did some googling on barbut and came to that conclusion.
 
barbut is one of the hacks installed through a compromised Roundcube exploit. Either update (if you PHP5) or remove Roundcube, remove all the exploits from /tmp, and remount /mtp as nosuid,noexec,nodev.

Jeff
 
Thanks for the answers!

I have hired a linux-expert that did some work with the server yesterday, everything seems to be running smooth now.
 
same things, this bloody roundcube cause so much stress. last 4 days i was trying to solve it .. i have uninstall roundcube, secure tmp folder , also install clamav and clean infected files from maildir with clamscan .

everything seems running fine but .. still apache gettingr restart ..

with following message

[notice] Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8b DAV/2 PHP/5.2.6 configured -- resuming normal operations
[notice] caught SIGTERM, shutting down
 
You must log in or register to reply here.
Back
Top