[thelist] Stupid linux/router problem
Eduardo Kienetz
eduardok at gmail.com
Thu Jul 5 21:17:32 CDT 2007
On 7/5/07, Brent Eades <beades at almonte.com> wrote:
> OK, this is probably a little off-topic. But here goes anyway.
>
> I've been running a personal web server through my DSL connection for
> several years. A few days ago I was hacked by some SOB's who planted a
> rootkit on the server, and kept using the back door to install a
> phishing site on my server. Yikes.
>
> So anyway; I soon realized that the only way to get rid of this rootkit
> was to reformat my drive and reinstall Linux. I decided to go with
> Fedora Core 6.
>
> So: traffic to this server (foo.com) is handled by a dLink router
> (address = 192.168.1.1.) I've assigned a permanent internal IP, via the
> router, to this server (192.168.1.140.) and placed it in the DMZ.
>
> I've reinstalled Apache, of course, and fiddled with KDE's 'network
> configuration' utility.
>
> And this is where things fall apart. At one point I guess I tried
> entering 192.168.1.140 as the IP address for foo.com in some Linux
> config file.
>
> And now that I try to start the Apache httpd daemon, I keep getting an
> error: "cannot assign requested address: make sock: could not bind to
> address 192.168.1.140:80"
>
> I thought I'd removed all references to that address, 192.168.1.140,
> from my system -- apart from httpd.conf, which reads:
>
> Listen 192.168.1.140:80
>
> Anyway, it's been years since I last had to install a Linux distro; I
> just can't figure out how to get httpd up and running in this context.
>
> Suggestions?
Run as root: ifconfig eth0
It will show something like: inet addr:X.Y.Z.W
That is the IP you got and the one you should use in httpd.conf
Now, some other software/instance might be using that port already, so run:
netstat -anp | grep LISTEN | grep ":80"
That should show you the process binding to port 80.
Then we would be better able to help you.
In last case, if you run:
ifconfig > /root/info.txt
cat /etc/hosts >> /root/info.txt
cat /etc/httpd/conf/httpd.conf >> /root/info.txt
netstat -anp >> /root/info.txt
route -n >> /root/info.txt
And e-mail-me that info.txt file I could help you (remove any
sensitive info you might find).
P.S.: It would have been interesting if you had ran chkrootkit in that
server before formating/reinstalling (www.chkrootkit.org).
Also, reviewing logs would have probably shown how they got in, where
they are from, etc.
Regards,
--
Eduardo Bacchi Kienetz
LPI Certified - Level 2
http://www.noticiaslinux.com.br/eduardo/
More information about the thelist
mailing list