compromised apache2?

[Derek Broughton]

Yuelin Li wrote:

Ugh. Please don't send ugly, non-legal 13 page sigs.  if you were using
a .com address, I'd say stop using your employer's email to send to lists,
but since it's .org, it's unlikely even to be required.  That's just
calculated to annoy us.

> I have noticed unexpected tcp connections whenever I start
> /etc/init.d/apache2 (see netsstat output below).  These connections
> appear in a couple of minutes, first the top two entries, then four
> and stay at four.  I am not running any other web-related utilities,
> no firefox.  I can't explain why I see them. These connections go away
> almost immediately when I stop apache2.
> 
> My questions are: 1) is my apache2 installation compromised?  and 2)
> if so, how should I remediate it?  Many thanks in advance,
 
> % netstat -atu
# netstat -atun
would be nicer.

It seems unlikely - 91-110-14-210.server is not a valid Internet name, so
it's probably local to your lan.

I'm not quite sure which of these 7 entries you think are problematic, but
all the LISTEN sockets are normal:

> tcp        0      0 *:www                   *:*                     LISTEN

Apache server.

> tcp        0      0 localhost:ipp           *:*                     LISTEN

Print server

> tcp6       0      0 *:ssh                   *:*                     LISTEN

ssh daemon.
-- 
derek