# Security issue?



## Mayhem30 (Aug 10, 2011)

This morning, I was checking my processes and noticed something I haven't seen before.


```
www      29895  0.0  0.0  7100  1416  ??  S    11:01AM   0:00.00 sh -c host -W 1 '195.93.18.69'
www      29896  0.0  0.0 10856  3100  ??  S    11:01AM   0:00.00 host -W 1 195.93.18.69
www      29897  0.0  0.0  7100  1416  ??  S    11:01AM   0:00.00 sh -c host -W 1 '67.195.115.40'
www      29898  0.0  0.0 10856  3100  ??  S    11:01AM   0:00.00 host -W 1 67.195.115.40
www      29899  0.0  0.0  7100  1416  ??  S    11:01AM   0:00.00 sh -c host -W 1 '67.195.115.40'
www      29900  0.0  0.0 10856  3100  ??  S    11:01AM   0:00.00 host -W 1 67.195.115.40
```

Is this something I should be concerned about?


----------



## tobe (Aug 10, 2011)

This are reverse DNS lookups, probably started from a CGI or PHP script on your server. No incoming connexions.


----------



## Mayhem30 (Aug 10, 2011)

Ok, thank you - I just wanted to be sure.


----------



## fonz (Aug 10, 2011)

Mayhem30 said:
			
		

> Is this something I should be concerned about?


Good question. In and by itself the command is pretty much harmless, it's just a reverse DNS lookup. Why Apache is doing that is another question, perhaps it's for the logfiles?

Does your www account have its password disabled (and possibly the login shell set to /sbin/nologin)?
Has this never happened before or did you just not notice it until now?
Is Apache running in a jail?
Have you changed your Apache config recently?
Does your Apache log contain IP addresses or FQDNs?
Does your authentication log (typically /var/log/auth.log but this is syslog configurable so it could be anywhere) show (attempted) logins for the www user?

Fonz

Edited to add: as someone else mentioned above, CGI or PHP could also be causing this if you have that enabled.


----------



## danbi (Aug 12, 2011)

It is best to find where these 'host' executables are.
Very probably your web server has been hacked, the attacker uploaded some software and is running it on your server. You may look at open files (probaby log files) with

`# fstat -p 29896`

(and other proccess ids)

You may wish to use

`# sockstat`

to find out what connections are open with your host as well.

First collect some data, then stop apache, remove the hackers tools and look for how they got into your server (possibly PHP security hole).
For peace of mind, you may shut the server in single user mode while investigating further.

Come on people, Apache is not supposed to run external programs to do reverse DNS lookup!

PS: Even if some web script is executing those queries, you may want to discuss the issue with the software author, as executing shells from within Apache is bad idea and there are cheaper ways to query DNS.


----------



## Mayhem30 (Aug 13, 2011)

Would the following php command cause apache to do this?


```
file_get_contents('http://www.domain.com/page.php');
```


----------

