0

My apache

Server version: Apache/2.4.54 (Ubuntu)
Server built:   2022-06-08T15:59:20

is configured as follows

ErrorLog ${APACHE_LOG_DIR}/error.log
ErrorLogFormat "[%t] [%l] [pid %P] %F: %E: [client %a] %M"
LogLevel warn

However, there are numerous entries in my apache's error.log that don't conform to the format nor indicate their source. How can I determine the culprit?

In particular, something is launching cURL and it results in malware running.

libpng warning: iCCP: known incorrect sRGB profile
libpng warning: Interlace handling should be turned on when using png_read_image
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: Interlace handling should be turned on when using png_read_image
libpng warning: iCCP: known incorrect sRGB profile
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

rm: cannot remove '/var/log/syslog': Permission denied
chattr: Operation not permitted while setting flags on /tmp/
chattr: Operation not permitted while setting flags on /var/tmp/
bilogic
  • 33
  • 5
  • Thanks but sorry, it doesn't. I'm trying to determine how it manages to get in again and again, and I think getting a timestamp on those logs will help me move forward. One clue is that it always runs as `www-data`, i.e. apache. – bilogic Jul 05 '22 at 11:35
  • 1. Do as said in that post. Reinstall the server from scratch. This is needed to revert all hidden/invisible/not apparent changes that malware might done to your server. 2. configure off-site logging (e.g. to another server, where will be nothing to compromise, syslog receiver and SSH). Direct Apache there, probably, make your web applications to log more verbosely. 3. Analyze logs *there*, because culprit won't be able to mangle them to hide their actions. – Nikita Kipriyanov Jul 06 '22 at 04:54
  • @NikitaKipriyanov already direct logs out, but these untracable lines don't get channeled there – bilogic Jul 06 '22 at 05:30
  • collech *all* logs. Even kernel dmesg. Setup `netconsole` if required. – Nikita Kipriyanov Jul 06 '22 at 05:35
  • @NikitaKipriyanov ok, maybe I did not phrase my OP correctly, but that is the answer I seek, how do I collect *all* logs? I could not find any question addressing it. – bilogic Jul 06 '22 at 05:40
  • So change the title and update the question text, then ask for reopening. Or ask another quesiton. In any case, convey the idea you *read* that question and the answer, you *know* what you are doing, and your problem is in the details if following instructions given there. Give examples of attempted configurations. Tell what web applications are installed (all of them, that is what to suspect if you see `www-data`). Also, try to change `curl` into script or binary which audits (logs) an access and either runs the original curl or denies access. That might also shed the light. – Nikita Kipriyanov Jul 06 '22 at 10:46
  • In any case, the question like "how to trace a malware" is *way too broad* to be answered here, it deserves a whole book (and, I suspect, more that a single book). In such form it will be closed anyway. – Nikita Kipriyanov Jul 06 '22 at 10:48

0 Answers0