Re: apache / exe process taking 99 % cpu

[Timo Veith <tv@rz-zw.fh-kl.de>]

Hello Marcin,

thank you for your reply.

On Monday 30 August 2004 21:06, Marcin Owsiany wrote:
> On Mon, Aug 30, 2004 at 03:50:35PM +0200, Timo Veith wrote:
> > My question is, have I been hacked?
>
> Probably. Do you run PHP? Buggy PHP scripts are a common attack vector
> these days.

Yes, we do run PHP scripts a lot.

> > Could that be a CGI program gone wild?
>
> Yes, if the "pid changes" you noted are just independent processes. Less
> likely, if these are intentional fork()/exit() tricks done by one
> process (of course unless you don't trust your users).

Well, there are too many of them, so cannot really trust all of them. I know, 
this doesnt' make any better. :(

> > Of course I could stop apache, but that's not what I want. I'd like to
> > figure out where this comes from.
>
> try "ls -l /proc/PID" and "ls -l /proc/PID/fd", these may reveal some
> useful information. Also run chkrootkit.

Thanks for this advice, it found the PWD of the command in the environ file 
under /proc/<pid>. Let me tell you another strange thing. netstat -avp showed 
me that a apache process had an established connection from my box (source 
port was some high port) to a box in .jp (dest port 113). This made me 
curious.

I added a iptables rule to the OUTPUT chain dropping all tcp packets to that 
box:port and guess what? My server was back idle again. No more 99 % cpu 
usage and the process now sits there. (sleeping) It doesn't change the pid 
any more and I also can do an strace:

root@gandalf [/proc/18305] strace -p 18305
connect(8, {sin_family=AF_INET, sin_port=htons(113), 
sin_addr=inet_addr("ip.of.remote.box")}}, 16 = -1 ETIMEDOUT (Connection timed 
out)
close(8)                                = 0
dup(2)                                  = 8
fcntl64(8, F_GETFL)                     = 0x2 (flags O_RDWR)
fstat64(8, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0
ioctl(8, SNDCTL_TMR_TIMEBASE, 0xbffff5d8) = -1 ENOTTY (Inappropriate ioctl for 
device)
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x40014000
_llseek(8, 0, [0], SEEK_CUR)            = 0
write(8, "connect: Connection timed out\n", 30) = 30
close(8)                                = 0
munmap(0x40014000, 4096)                = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({30, 0}, {30, 0})             = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 8

And then it starts again connecting. I think this process tries to talk back 
to someone? Well, I am only guessing ...

I downloaded the ISO image from the F.I.R.E. Linux distribution to have some 
static binaries which I can trust. I burned the image to a cd which I then 
mounted and tried to excute some of them but I only get "su -: Permission 
denied"

root@gandalf [/proc/18305] /mnt/cdrom/statbins/linux2.2_x86/who
su: /mnt/cdrom/statbins/linux2.2_x86/who: Permission denied
root@gandalf [/proc/18305] uname -r
2.4.27

Is it maybe because binaries for linux 2.2 cannot be run on a 2.4 kernel? 

Many thanks in advance

Timo