> > Hello. > After changing some settings for a domain in Apache it couldn't be > started again. The error message said: > > "Starting web server: Apache2(98)Address already in use: make_sock: > could not bind to address 0.0.0.0:8056 > no listening sockets available, shutting down > Unable to open logs > > We couldn't find any problems and we rebooted the machine. Then Apache > worked fine. But, after changing again some settings in apache and > restarting the web server we had the same problem. > > Then we went to see what's on that port: > netstat -lnp | grep '0.0.0.0:8056' > > and the result was: > > tcp 0 0 0.0.0.0:8056 0.0.0.0:* > LISTEN 13337/flood > > What was that flood? After killing the process apache worked fine.
But were you not curious why it was trying to bind to a port other than 80? > A few days ago there were some problems on the server. we couldn't ssh > to it, the network card was in promiscous mode (it seems it was > attacked). Could it be that somone cracked it? The logs are clean. > It's a Debian Sarge with a 2.4.27-2-686 generic kernel image. Your machine almost certainly has been hacked, and the sshd that is/was running is/was trojaned. You must now treat all accounts used to ssh into or out of that machine as having their passwords no longer secret. Take that machine off the network now. Change passwords everywhere for all accounts that exist on that machine without delay. Anytime that sshd is acting funny, you must consider the likelihood that you have been rooted. Anytime that a network card is in promiscuous mode that is a sure sign that a script kiddie has had free run of the machine. Then, that means that everything on the same segment of the LAN may have also been sniffed, especially if you are using a hub instead of switched ethernet. I would bet that the 'clean logs' are cleaner than they should be. The signs are things like when you run the 'last' command, logins are not shown from prior to the compromise. Other logs will probably have gaps in them. Probably their is a rootkit running and hiding processes, and some of the system binaries have been replaced. So, another set of likely symptoms are 'top', 'ps', 'ls', 'netstat' segfault or are installed more than one place. Some new shutdown, startup, and chron scripts may be present. Some rootkits do not get along well on Debian, and depending on how persistant and knowledgeable your cracker was they may have given up before they got very far. It is extremely difficult to trust anything on a machine after it has been compromised, some would say it is impossible. The usual litany of recommended actions are along the lines of: 1. Take the machine off the network now. 2. Check other machines on the same network for signs of compromise. 3. If you must preserve data or logs, remove the disk(s) and examine them by either booting from known clean media, or placing them in another machine. Avoid mounting the disk(s), use dd with the input as the device name to do backups or preserve log files. 4. Some advise not shutting down, unplug power instead. 5. If there is any desire to get law enforcement involved, pull power and do not attempt any forensics yourself. 6. Personally, I myself have attempted (sucessfully) to first ascertain what ip address range I need to null route at a border gateway router before powering off, but get the machine off the network first. And more, lots more. http://www.debian.org/doc/manuals/securing-debian-howto/ch-after-compromise.en.html Good luck
