Author: John (EBo) David Date: Subject: odd behaviour -- possibly security comprimised
I was compiling some code and searching the web (using google via.
Netscape) when my cpu usage shot up over 4.5, and the NIC card was doing
a hat dance. I tried to being the machine down gentle and the shutdown
hung on shutting down httpd.
I looked at the error log and found the following:
[Fri Dec 7 01:11:01 2001] [error] [client 193.75.33.35] Client sent
malformed Host header
[Fri Dec 7 09:46:13 2001] [error] [client 61.163.155.5] Client sent
malformed Host header
[Fri Dec 7 21:41:11 2001] [notice] mod_backhand -- UnixSocketDir set to
/var/state/backhand
[Fri Dec 7 21:41:13 2001] [notice] mod_backhand -- UnixSocketDir set to
/var/state/backhand
[Fri Dec 7 21:41:14 2001] [notice] backhand_init(616) spawning stats
things (PID 674)
[Fri Dec 7 21:41:14 2001] [notice] Apache/1.3.14 (Unix) (SuSE/Linux)
mod_throttle/3.0 mod_layout/1.0 mod_fastcgi/2.2.2
balanced_by_mod_backhand/1.1.0 mod_perl/1.24 PHP/3.0.17-dev configured
-- resuming normal operations
[Fri Dec 7 21:41:14 2001] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Fri Dec 7 21:41:14 2001] [notice] child pid 674 exit signal
Segmentation fault (11)
So somone was hitting me with a code red (IIRC), but does enyone have a
clue as to what the '"-" 408 -' means and why suEXEC or mod_backhand
would need to be executed later in the day?
The only thing that I have that is out of the ordinary in cron on my
system is I was playing with mailman, but it's cron job does not appear
to be anything odd...
(text/plain)