[Savannah-hackers-public] Re: viewcvs

[Sylvain Beucler]

It has been happening for a while and I still don't know where that comes from.

Check https://savannah.gnu.org/maintenance/SavannahArchitecture (at the bottom)

I do not think there is a system intrusion. I just think something in
ViewCVS/co stalls while keeping an associated apache2 (and hence port
80) open. Something like that. I'm running out of ideas on how to dig
this issue. What are your thoughs?

-- 
Sylvain

On Sun, Mar 12, 2006 at 02:34:34PM -0500, Michael J. Flickinger wrote:
> Hey Beuc,
> 
> What's the exact setup for cvs.savannah.gnu.org?
> I figured apache should be running on there for viewcvs and stuff, right?
> 
> Today I found that apache on cvs.savannah.gnu.org was dead, but the socket 
> was still listening.
> So, I did a `lsof |grep cvs.savannah` and found this:
> 
> savannah:~# lsof |grep cvs.savannah
> xinetd      956        root    5u     IPv4   15470921                   TCP 
> cvs.savannah.gnu.org:cvspserver (LISTEN)
> ntpd       1041        root    6u     IPv4       7674                   UDP 
> cvs.savannah.gnu.org:ntp
> sshd       2352        root    5u     IPv4  190649048                   TCP 
> cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41435 
> (ESTABLISHED)
> sshd       2354      dprice    5u     IPv4  190649048                   TCP 
> cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41435 
> (ESTABLISHED)
> sshd       3634        root    5u     IPv4  555713629                   TCP 
> cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41497 
> (ESTABLISHED)
> sshd       3637      dprice    5u     IPv4  555713629                   TCP 
> cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41497 
> (ESTABLISHED)
> sshd       3776        root    5u     IPv4  555720656                   TCP 
> cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41499 
> (ESTABLISHED)
> sshd       3784      dprice    5u     IPv4  555720656                   TCP 
> cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41499 
> (ESTABLISHED)
> co         5171    www-data    3u     IPv4  606747908                   TCP 
> cvs.savannah.gnu.org:www (LISTEN)
> co         5173    www-data    3u     IPv4  606747908                   TCP 
> cvs.savannah.gnu.org:www (LISTEN)
> co         5175    www-data    3u     IPv4  606747908                   TCP 
> cvs.savannah.gnu.org:www (LISTEN)
> cvs       23237      nobody    0u     IPv4  659530770                   TCP 
> cvs.savannah.gnu.org:cvspserver->lns-bzn-48f-81-56-222-223.adsl.proxad.net:2886
>  (ESTABLISHED)
> cvs       23237      nobody    1u     IPv4  659530770                   TCP 
> cvs.savannah.gnu.org:cvspserver->lns-bzn-48f-81-56-222-223.adsl.proxad.net:2886
>  (ESTABLISHED)
> cvs       23237      nobody    2u     IPv4  659530770                   TCP 
> cvs.savannah.gnu.org:cvspserver->lns-bzn-48f-81-56-222-223.adsl.proxad.net:2886
>  (ESTABLISHED)
> sshd      32098        root    3u     IPv4   58501544                   TCP 
> cvs.savannah.gnu.org:https (LISTEN)
> sshd      32098        root    4u     IPv4   58501546                   TCP 
> cvs.savannah.gnu.org:ssh (LISTEN)
> rsync     32157      nobody    4u     IPv4   58501632                   TCP 
> cvs.savannah.gnu.org:2873 (LISTEN)
> savannah:~#
> 
> 
> All looks normal except for this:
> co         5171    www-data    3u     IPv4  606747908                   TCP 
> cvs.savannah.gnu.org:www (LISTEN)
> co         5173    www-data    3u     IPv4  606747908                   TCP 
> cvs.savannah.gnu.org:www (LISTEN)
> co         5175    www-data    3u     IPv4  606747908                   TCP 
> cvs.savannah.gnu.org:www (LISTEN)
> 
> Looks to me like the `co` program, triggered by cvs some how hijacked apache?
> Maybe apache just went a little nuts?
> 
> I'm a little concerned about this.  What are your thoughts?