# Server hacked/Gone bizirk....???

## jtp755

I just typed a really long post and it got messed up and not posted. yay! NOT   :Evil or Very Mad: 

Heres a summed up version:

This afternoon my server and websites all worked great. I delete a vhost adn reload apache2. Every page on my server only shows the source code to the page now. I updated apache2 a few days ago but i didnt not stop the process or restart it after the update. i think the changes went into effect today when i reloaded the config files. im not sure if thats what caused it or not. I have looked at my config files and they look normal. I am doing my weekly update now and its going to update php. When that gets done i am going to re-emerge apache2 to see if it works. I have also rebooted my server and restarted apache multiple times to no avail.

I have pretty much ruled out being hacked but thats always a possibility. I have looked through my logs and dont see anything suspicious but then again i dont know everything to look for. I am running chkrootkit as i am typing this. There is one question tho....why does the error log for apache keep showing everyone when they goto my sites trying to get the file favicon.gif? It doesnt exist and never has but has always been an error. just curious.

Has this happened to anyone before? How can i fix it? Why did it happen? how can i prevent it in the future? TIA

----------

## schism39401

when you updated Apache2 did you replace your apache2.conf?  If not , are your pages in php? if so check your /etc/conf.d/apache2 and make sure you see 

```
APACHE2_OPTS="-D SSL -D PHP4"
```

at least the php part....

HTHLast edited by schism39401 on Wed Mar 31, 2004 2:58 pm; edited 1 time in total

----------

## jtp755

they are in php and that is in my conf. It wasnt until it popped in my head earlier and i added it and restarted apache but it didnt make any differance.

----------

## trooper82

Doesn't the new apache2 (2.0.49) place the conf files in a new location?  I think it is in /usr/lib/apache2/conf ? I remember reading that the old directories need to be deleted if doing the upgrade. Hope this helps.

----------

## jtp755

i deleted them and it didnt change anything.

----------

## dvc5

 *trooper82 wrote:*   

> Doesn't the new apache2 (2.0.49) place the conf files in a new location?  I think it is in /usr/lib/apache2/conf ? I remember reading that the old directories need to be deleted if doing the upgrade. Hope this helps.

 

The conf files stay in the same /etc/apache2/conf/ folder, but the "ServerRoot" folder has changed to /usr/lib/apache2 to get rid of the need for symbolic links to the modules, logs, etc.

----------

## trooper82

oh ok, my bad.....

----------

## jtp755

then its probably good i am emerging apache right now   :Razz: 

Ive lost all my config files tho....i had a ton of vhosts and settings in my apache config. it fits in with my luck today.......

----------

## jtp755

 *Quote:*   

> 
> 
> >>> original instance of package unmerged safely.
> 
>  * The INI file for this build is /etc/php/cli-php4/php.ini
> ...

 

What does that mean about CANNOT use on a webserver? If i cant use it then what do i use? i still have php-core 4.3.4 installed. do i need to unmerge it? willmy pages still work since it says it cant be used on a webserver? what does the CLI verion do differantly?

----------

## dvc5

 *jtp755 wrote:*   

>  *Quote:*   
> 
> >>> original instance of package unmerged safely.
> 
>  * The INI file for this build is /etc/php/cli-php4/php.ini
> ...

 

That's fine, the php.ini file you want to edit is in /etc/php/apache2-php4/. The other one, as the message points out, is obsolete and not needed for apache2. I'm guessing that you don't have your "apache2" flag set when you built php, and that's why it's telling you that it's a "CLI only build." Here's the USE flags I used for building php and mod_php:

```
loznet conf # emerge -vp php mod_php

 

These are the packages that I would merge, in order:

 

Calculating dependencies ...done!

[ebuild   R   ] dev-php/php-4.3.4-r4  -X +berkdb +crypt -curl -doc -fdftk -firebird -flash -freetds +gd -gd-external +gdbm -gmp -imap -informix +ipv6 +java +jpeg -ldap -mcal -memlimit +mysql +ncurses +nls -oci8 -odbc +pam +pdflib +png -postgres -qt +readline -snmp +spell +ssl -tiff +truetype +xml2 -yaz  0 kB

[ebuild   R   ] dev-php/mod_php-4.3.4-r4  -X +apache2 +berkdb +crypt -curl -doc -fdftk -firebird -flash -freetds +gd -gd-external +gdbm -gmp -imap -informix +ipv6 +java +jpeg -ldap -mcal -memlimit +mysql +nls -oci8 -odbc +pam +pdflib +png -postgres -qt -snmp +spell +ssl -tiff +truetype +xml2 -yaz  0 kB

 

Total size of downloads: 0 kB

 

loznet conf #
```

----------

## jtp755

i DO have the apache2 use flag set and i havent had ne problems updating php til now. what versions of php and mod_php do you have on your server? should i have both mod_php and php on my server now or is php still needed even tho it says its obselete? im out for the night...too frustrated wiht problems and bad luck.

----------

## dvc5

I have php-4.3.4-r4 and mod_php-4.3.4-r4, haven't had any problems with upgrading. Are you sure you don't have some conflicting configuration in your apache2.conf or commonapache2.conf? Also when you do:

```
ps -aux | grep apache2
```

You should have a bunch of lines like this:

```
root     21556  0.0  1.4 19356 7512 ?        S    13:17   0:00 /usr/sbin/apache2 -k start -D PHP4 -D SSL
```

----------

## jtp755

I dont have to -D SSL and -D PHP4 in those lines but it is enable in /etc/conf.d/apache2

and i have php 4.3.5 and mod_php 4.3.5. Should i unmerge both and emerge the older one (4.3.4-r4)? also php-core is not install since i removed it last night. do i need it with php 4.3.4-r4?

How can i figure out if i do have a config conflict? and what it is?

I think i am going to DG php and mod_php because it wont work still after a fresh install of apache, php, and mod_php. i think the unstable 4.3.5 version is messed up or something. not sure but i am emerging the 4.3.4-r4 versions now.

----------

## Jesore

 *jtp755 wrote:*   

>  *Quote:*   
> 
> >>> original instance of package unmerged safely.
> 
>  * The INI file for this build is /etc/php/cli-php4/php.ini
> ...

 

The php package can't be used on a webserver (except with CGI) as it is the normal command line interpreter. mod_php is the package that builds the php support for apache. It is perfetly normal that "php" says it is not for webserver use, cause it isn't.

No sign of a problem there.

Jesore

----------

## jtp755

any idea on why all my pages just show source code then? everythign else seems right.

----------

## rmalolepszy

Here are a couple things to look for.

In your apache2.conf make sure you have this line.

```
Include conf/modules.d/*.conf
```

Then make sure you have a mod_php module in that directory.

```
/etc/apache2/conf/modules.d/70_mod_php.conf
```

That file should specify your mime types, mime types are what tell an application what type of data a file is (in this case it tells apache how to handle extensions php, phtml, php3, php4 and phps).

```

    <IfModule mod_mime.c>

        AddType application/x-httpd-php .php

        AddType application/x-httpd-php .phtml

        AddType application/x-httpd-php .php3

        AddType application/x-httpd-php .php4

        AddType application/x-httpd-php-source .phps

    </IfModule>

```

I am running net-www/apache-2.0.49, of course there may be some slight differences, but everything should be similar.

NOTE: This is the basic apache2 install, i did not have to change anything, therefore if one of your directories is incomplete, then do not manually change it unless you know what you're doing. 

Instead just -

```
emerge -v apache mod_php
```

----------

## dvc5

 *jtp755 wrote:*   

> I dont have to -D SSL and -D PHP4 in those lines but it is enable in /etc/conf.d/apache2
> 
> and i have php 4.3.5 and mod_php 4.3.5. Should i unmerge both and emerge the older one (4.3.4-r4)? also php-core is not install since i removed it last night. do i need it with php 4.3.4-r4?
> 
> How can i figure out if i do have a config conflict? and what it is?
> ...

 

For a webserver, I would stick to stable-only packages. You will have less problems in the long run. As for the -D SSL and -D PHP4, for some reason your init script isn't using the configuration you're passing to it, so maybe try the command manually and see if you can get it to work then. If so, we can try to figure out why your init script is ignoring your configuration.

----------

## jtp755

i tried manually starting it (/usr/sbin/apache2 and APACHE2_OPTS="-D SSL -D PHP4" apache2) and neither worked. This is gettin extremly aggrivating and frustrating. Where do i have to define the php mime type or something like that?

----------

## dvc5

 *jtp755 wrote:*   

> i tried manually starting it (/usr/sbin/apache2 and APACHE2_OPTS="-D SSL -D PHP4" apache2) and neither worked. This is gettin extremly aggrivating and frustrating. Where do i have to define the php mime type or something like that?

 

```
/usr/sbin/apache2 -k start -D PHP4 -D SSL
```

Try that command and see what error it spits out. You shouldn't have to define the mime types, the default configuration should work properly for that. Your problem is that apache isn't starting with PHP support to begin with.

----------

## jtp755

that worked great man. your a life saver...now to figure out why it is nt starting right.

----------

## dvc5

 *jtp755 wrote:*   

> that worked great man. your a life saver...now to figure out why it is nt starting right.

 

Here's my /etc/init.d/apache2 runscript, maybe diff it with yours and try it out to see if it works:

```
#!/sbin/runscript

# Copyright 1999-2003 Gentoo Technologies, Inc.

# Distributed under the terms of the GNU General Public License v2

# $Header: /home/cvsroot/gentoo-x86/net-www/apache/files/2.0.49/apache2.initd,v 1.2 2004/03/26 08:45:49 robbat2 Exp $

 

opts="${opts} reload"

 

[ "x${STARTUPERRORLOG}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -d ${STARTUPERRORLOG}"

[ "x${CONFIGFILE}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -f ${CONFIGFILE}"

[ "x${STARTUPERRORLOG}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -E ${STARTUPERRORLOG}"

# set a default for PIDFILE/RESTARTSTYLE for those that FAILED to follow

# instructiosn and update the conf.d/apache2 file.

# (bug #38787)

[ -z "${PIDFILE}" ] && PIDFILE=/var/run/apache2.pid

[ -z "${RESTARTSTYLE}" ] && RESTARTSTYLE="graceful"

 

checkconfig() {

        local myconf="/etc/apache2/conf/apache2.conf"

        if [ "x${CONFIGFILE}" != "x" ]; then

                if [ ${CONFIGFILE:0:1} = "/" ]; then

                        myconf="${CONFIGFILE}"

                else

                        myconf="${SERVERROOT:-/usr/lib/apache2}/${CONFIGFILE}"

                fi

        fi

        if [ ! -r "${myconf}" ]; then

                eerror "Unable to read configuration file: ${myconf}"

                return 1

        fi

    if [ -z "${PIDFILE}" ]; then

        eerror "\$PIDFILE is not set!"

        eerror "Did you etc-update /etc/conf.d/apache2?"

        return 1

    fi

    if [ -z "${RESTARTSTYLE}" ]; then

        eerror "\$RESTARTSTYLE is not set!"

        eerror "Did you etc-update /etc/conf.d/apache2?"

        return 1

    fi

        /usr/sbin/apache2 -t ${APACHE2_OPTS} 1>/dev/null 2>&1

        ret=$?

        if [ $ret -ne 0 ]; then

                eerror "Apache2 has detected a syntax error in your configuration files:"

                /usr/sbin/apache2 -t ${APACHE2_OPTS}

        fi

        return $ret

}

 

depend() {

        need net

        use mysql dns logger netmount

        after sshd

}

 

start() {

        checkconfig || return 1

        ebegin "Starting apache2"

        [ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache

        env -i PATH=$PATH /sbin/start-stop-daemon --quiet \

                --start --startas /usr/sbin/apache2 \

                --pidfile ${PIDFILE} -- -k start ${APACHE2_OPTS}

        eend $?

}

 

stop() {

        ebegin "Stopping apache2"

        /usr/sbin/apache2ctl stop >/dev/null

        start-stop-daemon -o --quiet --stop --pidfile ${PIDFILE}

        eend $?

}

 

reload() {

        # restarting apache2 is much easier than apache1. The server handles most of the work for us.

        # see http://httpd.apache.org/docs-2.0/stopping.html for more details

        ebegin "Restarting apache2"

        /usr/sbin/apache2 ${APACHE2_OPTS} -k ${RESTARTSTYLE}

        eend $?

}
```

----------

## jtp755

its the same file....i checked side by side each other. What else can i try?

----------

## dvc5

 *jtp755 wrote:*   

> its the same file....i checked side by side each other. What else can i try?

 

Are you sure you're killing all apache processes before trying to run the init script?

```
killall -9 apache2

/etc/init.d/apache2 zap

/etc/init.d/apache2 start
```

----------

## slestak

Also make sure if you kill it, that the stale pid file is removed.  I had difficulties restarting apache earlier when making some config changes.

BTW, nice site, EternalFireProof.com...

----------

## jtp755

it seems to work fine now....im not sure why though. maybe the init script got in a bind but i had killed all processed yesterday before i posted and tried and it wouldnt start it gave me [!!] so im not sure exactly what was up...everything seems to work now...except my all my vhosts and all that i lost when i deleted the conf dir y/day...should have had a back up   :Razz:   Between today being my girlfriend and I's 2 year anniversary and yall helping me get this problem worked out it has been a very good day   :Razz:   thanks alot. Nething else i could look for maybe in the future?

----------

## dvc5

 *jtp755 wrote:*   

> it seems to work fine now....im not sure why though. maybe the init script got in a bind but i had killed all processed yesterday before i posted and tried and it wouldnt start it gave me [!! so im not sure exactly what was up...everything seems to work now...except my all my vhosts and all that i lost when i deleted the conf dir y/day...should have had a back up    Between today being my girlfriend and I's 2 year anniversary and yall helping me get this problem worked out it has been a very good day    thanks alot. Nething else i could look for maybe in the future?

 

Definitely make backup copies of your conf files before running etc-update. I've had so many configurations get borked because I thought I would remember how to configure it after blindly running "-5" in etc-update.

----------

## jtp755

where is that stale pid file located?

Thanks man...spread the word and let others know about it. hehe. thats a part i am lacking. my personl site WhiteGuardian.net has forums and all on it but im having some difficulites with it right now.. i know whats wrong tho. jsut gotta edit the config file. Thanks alot though!  :Razz: 

THEY ARE BACK UP NOW!!! thanks so much everyone!

----------

## dvc5

 *jtp755 wrote:*   

> where is that stale pid file located?
> 
> Thanks man...spread the word and let others know about it. hehe. thats a part i am lacking. my personl site WhiteGuardian.net has forums and all on it but im having some difficulites with it right now.. i know whats wrong tho. jsut gotta edit the config file. Thanks alot though! 
> 
> THEY ARE BACK UP NOW!!! thanks so much everyone!

 

Anytime, cool site btw  :Very Happy: . The stale pid file should be in /var/run/. If not in there you can always "find / | grep apache2.pid"

----------

## jtp755

Thanks for all the help and for checking out the site. check out my personal site too WhiteGuardian.net and please spread the links around if you want. I just changed the logos on both sites. email me and tell me what you think. Once again thanks.

----------

## dook43

/etc/init.d/service zap

kills the processes that are in the "zombie" state

----------

## dvc5

 *dook43 wrote:*   

> /etc/init.d/service zap
> 
> kills the processes that are in the "zombie" state

 

Cool, learn something new every day.  :Laughing: 

----------

## jtp755

ok i was right....i didnt know if the zap command would work or not. thanks alot.

----------

