[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers-public] Re: viewcvs
From: |
Sylvain Beucler |
Subject: |
[Savannah-hackers-public] Re: viewcvs |
Date: |
Sun, 19 Mar 2006 16:16:52 +0100 |
User-agent: |
Mutt/1.5.11+cvs20060126 |
It has been happening for a while and I still don't know where that comes from.
Check https://savannah.gnu.org/maintenance/SavannahArchitecture (at the bottom)
I do not think there is a system intrusion. I just think something in
ViewCVS/co stalls while keeping an associated apache2 (and hence port
80) open. Something like that. I'm running out of ideas on how to dig
this issue. What are your thoughs?
--
Sylvain
On Sun, Mar 12, 2006 at 02:34:34PM -0500, Michael J. Flickinger wrote:
> Hey Beuc,
>
> What's the exact setup for cvs.savannah.gnu.org?
> I figured apache should be running on there for viewcvs and stuff, right?
>
> Today I found that apache on cvs.savannah.gnu.org was dead, but the socket
> was still listening.
> So, I did a `lsof |grep cvs.savannah` and found this:
>
> savannah:~# lsof |grep cvs.savannah
> xinetd 956 root 5u IPv4 15470921 TCP
> cvs.savannah.gnu.org:cvspserver (LISTEN)
> ntpd 1041 root 6u IPv4 7674 UDP
> cvs.savannah.gnu.org:ntp
> sshd 2352 root 5u IPv4 190649048 TCP
> cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41435
> (ESTABLISHED)
> sshd 2354 dprice 5u IPv4 190649048 TCP
> cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41435
> (ESTABLISHED)
> sshd 3634 root 5u IPv4 555713629 TCP
> cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41497
> (ESTABLISHED)
> sshd 3637 dprice 5u IPv4 555713629 TCP
> cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41497
> (ESTABLISHED)
> sshd 3776 root 5u IPv4 555720656 TCP
> cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41499
> (ESTABLISHED)
> sshd 3784 dprice 5u IPv4 555720656 TCP
> cvs.savannah.gnu.org:ssh->s233-64-208-242.try.wideopenwest.com:41499
> (ESTABLISHED)
> co 5171 www-data 3u IPv4 606747908 TCP
> cvs.savannah.gnu.org:www (LISTEN)
> co 5173 www-data 3u IPv4 606747908 TCP
> cvs.savannah.gnu.org:www (LISTEN)
> co 5175 www-data 3u IPv4 606747908 TCP
> cvs.savannah.gnu.org:www (LISTEN)
> cvs 23237 nobody 0u IPv4 659530770 TCP
> cvs.savannah.gnu.org:cvspserver->lns-bzn-48f-81-56-222-223.adsl.proxad.net:2886
> (ESTABLISHED)
> cvs 23237 nobody 1u IPv4 659530770 TCP
> cvs.savannah.gnu.org:cvspserver->lns-bzn-48f-81-56-222-223.adsl.proxad.net:2886
> (ESTABLISHED)
> cvs 23237 nobody 2u IPv4 659530770 TCP
> cvs.savannah.gnu.org:cvspserver->lns-bzn-48f-81-56-222-223.adsl.proxad.net:2886
> (ESTABLISHED)
> sshd 32098 root 3u IPv4 58501544 TCP
> cvs.savannah.gnu.org:https (LISTEN)
> sshd 32098 root 4u IPv4 58501546 TCP
> cvs.savannah.gnu.org:ssh (LISTEN)
> rsync 32157 nobody 4u IPv4 58501632 TCP
> cvs.savannah.gnu.org:2873 (LISTEN)
> savannah:~#
>
>
> All looks normal except for this:
> co 5171 www-data 3u IPv4 606747908 TCP
> cvs.savannah.gnu.org:www (LISTEN)
> co 5173 www-data 3u IPv4 606747908 TCP
> cvs.savannah.gnu.org:www (LISTEN)
> co 5175 www-data 3u IPv4 606747908 TCP
> cvs.savannah.gnu.org:www (LISTEN)
>
> Looks to me like the `co` program, triggered by cvs some how hijacked apache?
> Maybe apache just went a little nuts?
>
> I'm a little concerned about this. What are your thoughts?
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-hackers-public] Re: viewcvs,
Sylvain Beucler <=