Hello! After check on rootkit with chkrootkit have this log: Code: Checking `bindshell'... INFECTED (PORTS: 1524 6667 31337) On my main router firewall this ports are closed. What does at mean this log? Thnks!
Hm, not sure what to make of this. Maybe there's malware installed, maybe not... If you want to go sure, you should set up the server again. If that's too much hassle, you should check if your server is behaving as it should.
I have ISPConfig2 on this server. With web, mail, dns and ftp servers. Reinstall this server is impossible. It is very big work. And this server work day/night. can I check malware with another programm?
I understand. If I were you, I'd keep an eye on the server to see if it behaves in a strange way or not.
I check server every day. And in some times I have one problem my apache go down. In htop I see that apache have ~450 tasks, and after that hi go down and I cant open any site on my server. Ater restart apache all work ok. But still some times its repeated. What is it? Can you help me? Big thnks! P.S. What this log does it means? Code: Aug 12 14:16:22 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web24 Aug 12 14:16:25 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web24 Aug 12 14:16:43 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web64 Aug 12 14:16:47 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web34 Aug 12 14:17:01 itex CRON[3278]: pam_unix(cron:session): session opened for user root by (uid=0) Aug 12 14:17:01 itex CRON[3278]: pam_unix(cron:session): session closed for user root Aug 12 14:17:05 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web73 Aug 12 14:17:10 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web19 Aug 12 14:17:25 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web40 Aug 12 14:17:30 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web23 Aug 12 14:17:35 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web75 Aug 12 14:17:40 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web30 Aug 12 14:17:46 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web24 Aug 12 14:17:46 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web24 Aug 12 14:17:52 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web66 Aug 12 14:17:56 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web52 Aug 12 14:18:00 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web74 Aug 12 14:18:03 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web35 Aug 12 14:18:15 itex sudo: admispconfig : TTY=unknown ; PWD=/home/admispconfig/ispconfig/web/multidoc/edit ; USER=root ; COMMAND=/usr/bin/du -h --max-depth=1 /var/www/web39 in apache error.log: Code: PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20090626+lfs/mhash.so' - /usr/lib/php5/20090626+lfs/mhash.so: cannot open shared object file: No s$ [Thu Aug 12 13:59:30 2010] [notice] mod_python: Creating 8 session mutexes based on 250 max processes and 0 max threads. [Thu Aug 12 13:59:30 2010] [notice] mod_python: using mutex_directory /tmp [Thu Aug 12 13:59:31 2010] [notice] Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5 mod_ruby/1.2.6 Ruby/1.8.7(2010-01-10) mod_$ [Thu Aug 12 14:04:47 2010] [error] server reached MaxClients setting, consider raising the MaxClients setting [Thu Aug 12 14:14:04 2010] [notice] caught SIGTERM, shutting down [Thu Aug 12 14:14:05 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec) PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/idn.ini on line 1 in Unknown on line 0 PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/imagick.ini on line 1 in Unknown on line 0 PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/imap.ini on line 1 in Unknown on line 0 PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/mcrypt.ini on line 1 in Unknown on line 0 PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/mhash.ini on line 1 in Unknown on line 0 PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/apache2/conf.d/ming.ini on line 1 in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20090626+lfs/mhash.so' - /usr/lib/php5/20090626+lfs/mhash.so: cannot open shared object file: No s$ [Thu Aug 12 14:14:05 2010] [notice] mod_python: Creating 8 session mutexes based on 250 max processes and 0 max threads. [Thu Aug 12 14:14:05 2010] [notice] mod_python: using mutex_directory /tmp [Thu Aug 12 14:14:05 2010] [notice] Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5 mod_ruby/1.2.6 Ruby/1.8.7(2010-01-10) mod_$
Please try to optimize Apache: http://www.howtoforge.com/configuring_apache_for_maximum_performance Also, you should install monit - it will start Apache again if it goes down: http://www.howtoforge.com/server-monitoring-with-munin-and-monit-on-debian-lenny-p2
Thnks! With monit now all works good. But I have this log message from monit: Code: PID changed Service postfix Date: Sun, 22 Aug 2010 23:59:53 +0300 Action: alert Host: srv.domen.com Description: process PID changed to 19903 Your faithful employee, monit What does it mean? Thnks!
