Re: Am I Compromised -- More information

Mon, 28 Nov 2005 06:34:40 -0800 

On Fri, Nov 25, 2005 at 09:32:43PM +0530, Ritesh Raj Sarraf wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Even after I stop my webserver, I get the perl process to be chewing up 99%
of my cpu cycles.

top - 07:58:28 up 3 days,  8:26,  1 user,  load average: 0.96, 1.04, 1.17
Tasks:  56 total,   3 running,  53 sleeping,   0 stopped,   0 zombie
Cpu(s): 84.0% us, 16.0% sy,  0.0% ni,  0.0% id,  0.0% wa,  0.0% hi,  0.0% si
Mem:    516156k total,   477684k used,    38472k free,    97492k buffers
Swap:   979924k total,        0k used,   979924k free,   127688k cached

 PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
28390 www-data  25   0  5760 3812 3444 R 99.4  0.7  48:18.85 perl
   1 root      16   0  1504  512 1352 S  0.0  0.1   0:00.52 init
   2 root      34  19     0    0    0 S  0.0  0.0   0:00.00 ksoftirqd/0
   3 root       5 -10     0    0    0 S  0.0  0.0   0:02.24 events/0
   4 root      15 -10     0    0    0 S  0.0  0.0   0:00.00 khelper
   5 root      15 -10     0    0    0 S  0.0  0.0   0:00.00 kacpid
  41 root       5 -10     0    0    0 S  0.0  0.0   0:02.08 kblockd/0
  51 root      15   0     0    0    0 S  0.0  0.0   0:00.00 pdflush
  52 root      15   0     0    0    0 S  0.0  0.0   0:01.19 pdflush
  54 root       5 -10     0    0    0 S  0.0  0.0   0:00.00 aio/0
  53 root      15   0     0    0    0 S  0.0  0.0   0:05.39 kswapd0
 190 root      25   0     0    0    0 S  0.0  0.0   0:00.00 kseriod


But `pstree` says there's no apache2 running and that's right:

ns1:/etc/cron.d# pstree
init???atd
    ??cron
    ??events/0???aio/0
    ?          ??kacpid
    ?          ??kblockd/0
    ?          ??khelper
    ?          ??2*[pdflush]


But `ps aux | grep -i www-data` results in the following:

ns1:/etc/cron.d# ps aux | grep www-data
www-data 28390 43.8 0.7 5760 3812 ? R 06:08 48:27 /usr/sbin/httpd 
root      1550  0.0  0.0  1548  476 pts/0    R+   07:58   0:00 grep www-data



If there's no /usr/sbin/httpd, how is the process running ?
httpd is the parent process of that perl process that is eating all of your processor. If you kill the perl process I think you'll find that httpd is no longer running anywhere.
As to are you compromised, probably, but since www-data is a limited account the damage should be limited to world writeable directories such as /tmp and /var/tmp unless a local compromise was used to gain higher level access.
The likely culprit here is not apache itself, but a vulnerable script, such as an older version of the php xmlrpc script. Are you running any php based content management systems such as drupal? 

--
Steve Block
http://ev-15.com/
http://steveblock.com/
[EMAIL PROTECTED]


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to