Apache error_log showing which command output
Posted
by
Unai Rodriguez
on Server Fault
See other posts from Server Fault
or by Unai Rodriguez
Published on 2012-03-20T04:19:06Z
Indexed on
2012/03/20
5:31 UTC
Read the original article
Hit count: 581
Apache's error_log shows lines like the following:
--- snip ---
which: no ruby in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no locate in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no suidperl in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no get in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no fetch in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no links in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no lynx in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no lwp-mirror in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no lwp-download in (/sbin:/usr/sbin:/bin:/usr/bin)
which: no kav in (/sbin:/usr/sbin:/bin:/usr/bin)
--- end ---
The architecture is:
Internet -> Load Balancer -> Varnish -> Apache
There are several web servers behind the load balancer and I have checked at least one of them with rkhunter (link) and couldn't find anything suspicious.
Versions:
- CentOS 5.7
- Varnish 2.1.5
- Apache 2.2.3
- PHP 5.2.17
Does this mean that someone has executed the command which through Apache? How can that happen?
Thank you so much.
© Server Fault or respective owner