Apache error_log showing which command output

Posted by Unai Rodriguez on Server Fault See other posts from Server Fault or by Unai Rodriguez
Published on 2012-03-20T04:19:06Z Indexed on 2012/03/20 5:31 UTC
Read the original article Hit count: 581

Filed under:
|
|

Apache's error_log shows lines like the following:

--- snip ---
which: no ruby in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no locate in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no suidperl in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no get in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no fetch in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no links in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no lynx in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no lwp-mirror in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no lwp-download in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no kav in (/sbin:/usr/sbin:/bin:/usr/bin)
--- end ---

The architecture is:

Internet -> Load Balancer -> Varnish -> Apache

There are several web servers behind the load balancer and I have checked at least one of them with rkhunter (link) and couldn't find anything suspicious.

Versions:

  • CentOS 5.7
  • Varnish 2.1.5
  • Apache 2.2.3
  • PHP 5.2.17

Does this mean that someone has executed the command which through Apache? How can that happen?

Thank you so much.

© Server Fault or respective owner

Related posts about apache2

Related posts about security