I’ve been running apache on OpenSuSE 12.3 for a few months now, no problems. Today I opened the firewall on eth0, my external zone, for port 80. Web server was available to the internal and external networks, eth1 and eth0 respectively. I added a new subdirectory under /srv/www/htdocs and copied a bunch of files to it. I left the computer to watch the football game - Go Bears! - and when I returned, I couldn’t connect via a browser to the web server? Tried to restart it via yast2… got this error: http://webpages.charter.net/linux-as1l/apache2_error.png
So, this is vaguely interesting. I uninstalled apache2 and all related packages, moved /srv/www to /srv/backup.www, deleted /etc/apache2, and moved /etc/sysconfig/apache2 to /etc/sysconfig_apache2.backup.
How were these files changed manually? They didn’t exist!
Walk through HTTP configuration on yast2. On the main host tab, add the server name and admin. Move my backup /srv/www/ and /srv/www/htdocs back where they belong…
On 08/10/2013 08:06 AM, silicon penguin67 wrote:
> So what happened?
maybe you got krack when the firewall was down and port 80 open…
since there are about a billion winBots automatically seeking easy
entry, it does not take long for krackers to find open ports and
unprotected apaches, and slide in their evil.
not saying that happened. don’t know what happened–but adding a
directory with files would not, or should not result in any
config file being changed manually!
i’m not at all sure i would trust the system…but, before you nuke
it wait for other (better) ideas–read my sig caveat.
btw, is it really required to fully expose a system to the net to be
able to copy data from one spot to another? (or perhaps i do not
actually understand your “opened the firewall on eth0, my external
zone, for port 80. Web server was available to the internal and
external networks, eth1 and eth0 respectively”–that is, perhaps the
system was protected ??)
personally i leave all protection in place and strong password ssh in
to set up an FTP link and . . .
That would assume that when the OP stated “Web server was available to the internal and external networks, eth1 and eth0 respectively.” that the external network was routable - we don’t know that. These could easily both be RFC 1918 subnets with no NAT, port forwarding or other exposing of them to the outside - and thus no way for him to get hacked like that.
Even if it were, it’s a pretty big leap to start suggesting a hack. Even if the firewall were running, port 80 and 443 would be open if its a webserver, and provide zero protection whatsoever against unpatched Apache, php, etc. vulnerabilities. If no other services are listening on ports (which we don’t know) dropping the firewall could have about zero effect on increasing risk exposure.
I’m wondering if the original error “NSSProtocol: SSL/TLS protocol initialization failed” was possibly due to updates to openssl or apache2 after which apache had not been restarted? You could check the zypper log to see if either had been updated recently.
Did you by chance happen to reboot after seeing the error and try to start apache again?
On the message /etc/sysconfig/apache2 had been “modified” - perhaps them not existing at all triggered this message?
That was my first thought… Still wonder if that didn’t have something to do with it.
I have one home server that connects the internal network to the internet. eth0 connects to the external zone and eth1 to the internal zone. I opened port 80 in the external facing firewall to enable people on the outside to access the web server. The server has been running for months, no problem. Every once in a while I’ll open port 80 to the external zone to allow friends, family, and clients access to something on the web server. Also, I install whatever updates to PHP or Apache that OpenSuSE says I should. While nothing is crack proof, I’d imagine just opening port 80 shouldn’t offer too much of a target… Yikes! Sounds like famous last words.
I didn’t reboot right away after finding the web server down. I did try to restart apache right away.
Your point about the two files having been “modified” being due to their not existing is probably spot on. I was kinda surprised when uninstalling apache didn’t get rid of the dir, if I want to save my customizations I’ll make my own back up thank you very much! lol!.
Recommend you inspect your syslog to see why the apache service crashed. The following will extract the last 300 lines from the syslog and display anything with “apache” in the entry, modify as necessary. <Maybe> something might be in the apache logs, but for a service crash I’d assume the info is in the main syslog.
tail -n 300 | grep apache
Also,
I strongly suspect the “modified files” relate to your screenshot which for whatever reason is trying to configure as a service (but of course already has been). Unknown why your YAST applet is in the middle of trying to do something that already is configured.
