Re: Am I compromised -- More information
Ritesh,
On Fri, 25 Nov 2005, Ritesh Raj Sarraf wrote:
> Even after I stop my webserver, I get the perl process to be chewing up 99%
> of my cpu cycles.
>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
> 28390 www-data 25 0 5760 3812 3444 R 99.4 0.7 48:18.85 perl
>
> If there's no /usr/sbin/httpd, how is the process running ?
I've seen this before when a PHP script (among other major possible
security issues on a Webserver) has been used to execute another local
process.
Use lsof to see what files/ports/etc the program has open:
$ lsof -p 28390
I suspect that you'll find it listening on a TCP port, waiting for
commands, or simply providing a login shell to any incoming telnet
connection. :(
If so, your server has been compromised and you'll need to consider that
they may have also used a rootkit/local root exploit to obtain elevated
privileges on your machine.
Regards,
Iain
Reply to: