I created an AWS Ubuntu 16.04 EC2 instance a while ago and had it running for some time not really doing anything. Now as I try to bring that machine bring to service, I notice a few things I can not explain:
username@hostname:~$ ps aux | grep apache
root 1930 0.0 0.0 4508 748 ? Ss 12:17 0:00 /bin/sh /usr/sbin/apache2ctl -D FOREGROUND
root 1965 0.0 0.7 89980 7752 ? S 12:17 0:00 /usr/sbin/apache2 -D FOREGROUND
www-data 1966 0.0 0.6 379152 6996 ? Sl 12:17 0:00 /usr/sbin/apache2 -D FOREGROUND
www-data 1967 0.0 0.6 379152 6996 ? Sl 12:17 0:00 /usr/sbin/apache2 -D FOREGROUND
username 2732 0.0 0.0 12944 976 pts/1 S+ 12:32 0:00 grep --color=auto apache
How can there be apache2
processes if the executables are not even installed ?
username@hostname:~$ ls -lA /usr/sbin/apache2
ls: cannot access '/usr/sbin/apache2': No such file or directory
username@hostname:~$ ls -lA /usr/sbin/apache2ctl
ls: cannot access '/usr/sbin/apache2ctl': No such file or directory
username@hostname:~$ aptitude search apache2 | grep '^i'
<no output>
Also, this machine seems to be have an open udp port 68 which seems to be related to BOOTP or DHCP. Is it normal for an AWS EC2 instance to have that port open ? What would that be good for ?
username@hostname:~$ netstat -lntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 0.0.0.0:68 0.0.0.0:*
At this stage, I'm at a loss as to what's going on here. Is all of this something I should worry about ? Should I wipe the machine and start over ? Can anyone shed some light on this ?
udp/68 is normal for an EC2 instance as it gets it's IP address by DHCP.
My first guess, too, would be that they're leftover processes from removed packages. I would first check the apt and the shell history, maybe if you correlate them you'll remember exactly what happened. However, if the instance was rebooted recently (after the package was removed) then something fishy is going on.