Friday, September 2, 2011

How to Find APACHE under Attack

Apache is the worlds largest using WEB SERVER. According tonetcraft survey 49.73% of the market is owned by this wonderful product. This was free under GPL. The attackers are trying to hack the websites,whichever may be the server. So a Web Administrator should be vigilant about his Apache server.

Here I would like to tell how an administrator find whether his Apache server is Under Attack.

1.First checkout the load of the server

top -u apache (Here apache means the web server user)

Tasks: 126 total, 1 running, 125 sleeping, 0 stopped, 0 zombie
Cpu(s): 3.8%us, 0.7%sy, 0.0%ni, 94.3%id, 1.1%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 1027224k total, 927296k used, 99928k free, 46428k buffers
Swap: 3004112k total, 0k used, 3004112k free, 410736k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 
5573 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2 
5575 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2 
5576 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2 
5577 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2 
5578 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2 

This is the normal stage of Apache. If the CPU usage is increasing,take care you are in trouble

2.Check the number of running Apache processes

ps -ef | grep apache | wc -l

If you get a number below 50,no problem. Other wise something nasty is happening

3.Check how many listening connection to port 80

ps -ef | grep apache | wc -l

If the number goes beyong 100,an attacker closely watching your servers

4.Check your listening foriegn IPs

netstat -tn

You can see that the same IP or IPrange is listening on your Web port (80). If you made a DNS lookup to those IPs You can found that all those IPS are come from a DHCP pool,it means ATTACK.