It has been happening for a while and I still don't know where that comes from.
Check https://savannah.gnu.org/maintenance/SavannahArchitecture (at the bottom) I do not think there is a system intrusion. I just think something in ViewCVS/co stalls while keeping an associated apache2 (and hence port 80) open. Something like that. I'm running out of ideas on how to dig this issue. What are your thoughs? -- Sylvain On Sun, Mar 12, 2006 at 02:34:34PM -0500, Michael J. Flickinger wrote: > Hey Beuc, > > What's the exact setup for cvs.savannah.gnu.org? > I figured apache should be running on there for viewcvs and stuff, right? > > Today I found that apache on cvs.savannah.gnu.org was dead, but the socket > was still listening. > So, I did a `lsof |grep cvs.savannah` and found this: > > savannah:~# lsof |grep cvs.savannah > xinetd 956 root 5u IPv4 15470921 TCP > cvs.savannah.gnu.org:cvspserver (LISTEN) > ntpd 1041 root 6u IPv4 7674 UDP > cvs.savannah.gnu.org:ntp > sshd 2352 root 5u IPv4 190649048 TCP > cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41435 > (ESTABLISHED) > sshd 2354 dprice 5u IPv4 190649048 TCP > cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41435 > (ESTABLISHED) > sshd 3634 root 5u IPv4 555713629 TCP > cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41497 > (ESTABLISHED) > sshd 3637 dprice 5u IPv4 555713629 TCP > cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41497 > (ESTABLISHED) > sshd 3776 root 5u IPv4 555720656 TCP > cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41499 > (ESTABLISHED) > sshd 3784 dprice 5u IPv4 555720656 TCP > cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41499 > (ESTABLISHED) > co 5171 www-data 3u IPv4 606747908 TCP > cvs.savannah.gnu.org:www (LISTEN) > co 5173 www-data 3u IPv4 606747908 TCP > cvs.savannah.gnu.org:www (LISTEN) > co 5175 www-data 3u IPv4 606747908 TCP > cvs.savannah.gnu.org:www (LISTEN) > cvs 23237 nobody 0u IPv4 659530770 TCP > cvs.savannah.gnu.org:cvspserver->lns-bzn-48f-81-56-222-223.adsl.proxad.net:2886 > (ESTABLISHED) > cvs 23237 nobody 1u IPv4 659530770 TCP > cvs.savannah.gnu.org:cvspserver->lns-bzn-48f-81-56-222-223.adsl.proxad.net:2886 > (ESTABLISHED) > cvs 23237 nobody 2u IPv4 659530770 TCP > cvs.savannah.gnu.org:cvspserver->lns-bzn-48f-81-56-222-223.adsl.proxad.net:2886 > (ESTABLISHED) > sshd 32098 root 3u IPv4 58501544 TCP > cvs.savannah.gnu.org:https (LISTEN) > sshd 32098 root 4u IPv4 58501546 TCP > cvs.savannah.gnu.org:ssh (LISTEN) > rsync 32157 nobody 4u IPv4 58501632 TCP > cvs.savannah.gnu.org:2873 (LISTEN) > savannah:~# > > > All looks normal except for this: > co 5171 www-data 3u IPv4 606747908 TCP > cvs.savannah.gnu.org:www (LISTEN) > co 5173 www-data 3u IPv4 606747908 TCP > cvs.savannah.gnu.org:www (LISTEN) > co 5175 www-data 3u IPv4 606747908 TCP > cvs.savannah.gnu.org:www (LISTEN) > > Looks to me like the `co` program, triggered by cvs some how hijacked apache? > Maybe apache just went a little nuts? > > I'm a little concerned about this. What are your thoughts?
