Spun new server up...httpd suspected compromise
I had a wordpress site and a drupal site on aws free tier that I moved over to linode yesterday. I've installed a basic lamp stack and nothing else to a centos box. Both are very low traffic sites and last night I got a warning about a cpu spike and looking at my httpd access_log there are ~113000 entries for a single night. Looking at the entries there are a lot of get request to random sites. I'm pretty sure something somewhere is compromised. Where should I start cleaning this up? The most frequent entries were
199.15.112.172 - - [03/May/2013:12:47:50 +0000] "GET
Anyone ever heard of this, am I missing something?
Thanks.
Tanner J.
6 Replies
in /var/log/httpd/error_log I've got ~ 70,000 file does not exist errors scaning all of my /var/www/html/ sub directories. Does this spike in traffic mean I've been compromised or could someone have been just probing my server? Looking at the linode manager I had an hour and a half spike that has now fallen off.
Thanks.
If the activity continues then raise a ticket to linode staff asking for a new IP address and explain why.
Tanner J.
@tannerj:
Okay, I was worried it was my drupal site as I got a lot of errors for missing scripts in that directory. But it turns out that the drupal site is the default when reaching my server by ipaddress. So your scenario makes perfect sense. I'll keep an eye out for this happening again and if it continues I'll request the new ip address. Thanks for the insight and saving me a lot of worry.
Tanner J.
you shouldn't require a new ip address… if it really bothers you that much, just drop the traffic using iptables or something like that