Re: apache / exe process taking 99 % cpu
On Tue, Aug 31, 2004 at 12:59:48AM +0200, Timo Veith wrote:
> On Monday 30 August 2004 21:06, Marcin Owsiany wrote:
> I added a iptables rule to the OUTPUT chain dropping all tcp packets to that
> box:port and guess what? My server was back idle again. No more 99 % cpu
> usage and the process now sits there.
Seems like the process is a DoS zombie. Probably it opened as many
connections to that machine, as possible, and that caused the heavy CPU
> And then it starts again connecting. I think this process tries to talk back
> to someone? Well, I am only guessing ...
Could be. I would unblock the rule for a while and record some of the
traffic. Viewing it with something nice like ethereal could provide more
infomation on the nature of those connections.
> I downloaded the ISO image from the F.I.R.E. Linux distribution to have some
> static binaries which I can trust.
Basically, if you don't trust your binaries, that means that you suspect
the attacker got root access. And if they did, they probably installed a
kernel backdoor. And if they did, then "trusted" binaries won't buy you
anything. You need to boot off a trusted media if you want to be sure.
> I burned the image to a cd which I then
> mounted and tried to excute some of them but I only get "su -: Permission
> root@gandalf [/proc/18305] /mnt/cdrom/statbins/linux2.2_x86/who
> su: /mnt/cdrom/statbins/linux2.2_x86/who: Permission denied
> root@gandalf [/proc/18305] uname -r
> Is it maybe because binaries for linux 2.2 cannot be run on a 2.4 kernel?
I don't think so. I suspect this is either a permissions (file or
filesystem) or dynamic libs problem.
PS: Please don't cc me. I really do read this list :-)
Marcin Owsiany <email@example.com> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
"Every program in development at MIT expands until it can read mail."