Re: Am I compromised -- More information

To: debian-isp@lists.debian.org
Subject: Re: Am I compromised -- More information
From: Iain McBride <imcbride@convoke.com>
Date: Fri, 25 Nov 2005 11:20:53 -0500 (EST)
Message-id: <[🔎] Pine.LNX.4.63.0511251114360.26504@shell.convoke.net>
In-reply-to: <[🔎] dm7cio$k2e$2@sea.gmane.org>
References: <[🔎] dm7cio$k2e$2@sea.gmane.org>

Ritesh,

On Fri, 25 Nov 2005, Ritesh Raj Sarraf wrote:

> Even after I stop my webserver, I get the perl process to be chewing up 99%
> of my cpu cycles.
> 
>   PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
> 28390 www-data  25   0  5760 3812 3444 R 99.4  0.7  48:18.85 perl
> 
> If there's no /usr/sbin/httpd, how is the process running ?

I've seen this before when a PHP script (among other major possible 
security issues on a Webserver) has been used to execute another local 
process.

Use lsof to see what files/ports/etc the program has open:

$ lsof -p 28390

I suspect that you'll find it listening on a TCP port, waiting for 
commands, or simply providing a login shell to any incoming telnet 
connection. :(

If so, your server has been compromised and you'll need to consider that 
they may have also used a rootkit/local root exploit to obtain elevated 
privileges on your machine.

Regards,
Iain

Reply to:

References:
- Am I compromised -- More information
  - From: Ritesh Raj Sarraf <rrs@researchut.com>

Prev by Date: Am I compromised
Next by Date: Am I Compromised -- Some interesting findings
Previous by thread: Am I compromised -- More information
Next by thread: Am I compromised
Index(es):
- Date
- Thread