2

I created an AWS Ubuntu 16.04 EC2 instance a while ago and had it running for some time not really doing anything. Now as I try to bring that machine bring to service, I notice a few things I can not explain:

username@hostname:~$ ps aux | grep apache
root      1930  0.0  0.0   4508   748 ?        Ss   12:17   0:00 /bin/sh /usr/sbin/apache2ctl -D FOREGROUND
root      1965  0.0  0.7  89980  7752 ?        S    12:17   0:00 /usr/sbin/apache2 -D FOREGROUND
www-data  1966  0.0  0.6 379152  6996 ?        Sl   12:17   0:00 /usr/sbin/apache2 -D FOREGROUND
www-data  1967  0.0  0.6 379152  6996 ?        Sl   12:17   0:00 /usr/sbin/apache2 -D FOREGROUND
username  2732  0.0  0.0  12944   976 pts/1    S+   12:32   0:00 grep --color=auto apache

How can there be apache2 processes if the executables are not even installed ?

username@hostname:~$ ls -lA /usr/sbin/apache2
ls: cannot access '/usr/sbin/apache2': No such file or directory
username@hostname:~$ ls -lA /usr/sbin/apache2ctl
ls: cannot access '/usr/sbin/apache2ctl': No such file or directory

username@hostname:~$ aptitude search apache2 | grep '^i'
<no output>

Also, this machine seems to be have an open udp port 68 which seems to be related to BOOTP or DHCP. Is it normal for an AWS EC2 instance to have that port open ? What would that be good for ?

username@hostname:~$ netstat -lntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
udp        0      0 0.0.0.0:68              0.0.0.0:*

At this stage, I'm at a loss as to what's going on here. Is all of this something I should worry about ? Should I wipe the machine and start over ? Can anyone shed some light on this ?

ssc
  • 1,129
  • 3
  • 16
  • 30
  • As it's running in the foreground it might suggest it's not running as a server, and it may be that apache was installed, set running and then deleted, which would leave it in memory. `netstat -nlp` should show if it's listening on a port. If there's nothing of value on the instance I would flatten it and start again. – Simon Greenwood Jan 06 '18 at 13:34

1 Answers1

2

udp/68 is normal for an EC2 instance as it gets it's IP address by DHCP.

My first guess, too, would be that they're leftover processes from removed packages. I would first check the apt and the shell history, maybe if you correlate them you'll remember exactly what happened. However, if the instance was rebooted recently (after the package was removed) then something fishy is going on.

Miklos Niedermayer
  • 116
  • 5