[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache / exe process taking 99 % cpu

On Tue, Aug 31, 2004 at 12:59:48AM +0200, Timo Veith wrote:
> On Monday 30 August 2004 21:06, Marcin Owsiany wrote:
> I added a iptables rule to the OUTPUT chain dropping all tcp packets to that 
> box:port and guess what? My server was back idle again. No more 99 % cpu 
> usage and the process now sits there.

Seems like the process is a DoS zombie. Probably it opened as many
connections to that machine, as possible, and that caused the heavy CPU

> And then it starts again connecting. I think this process tries to talk back 
> to someone? Well, I am only guessing ...

Could be. I would unblock the rule for a while and record some of the
traffic. Viewing it with something nice like ethereal could provide more
infomation on the nature of those connections.

> I downloaded the ISO image from the F.I.R.E. Linux distribution to have some 
> static binaries which I can trust.

Basically, if you don't trust your binaries, that means that you suspect
the attacker got root access. And if they did, they probably installed a
kernel backdoor. And if they did, then "trusted" binaries won't buy you
anything. You need to boot off a trusted media if you want to be sure.

> I burned the image to a cd which I then 
> mounted and tried to excute some of them but I only get "su -: Permission 
> denied"
> root@gandalf [/proc/18305] /mnt/cdrom/statbins/linux2.2_x86/who
> su: /mnt/cdrom/statbins/linux2.2_x86/who: Permission denied
> root@gandalf [/proc/18305] uname -r
> 2.4.27
> Is it maybe because binaries for linux 2.2 cannot be run on a 2.4 kernel? 

I don't think so. I suspect this is either a permissions (file or
filesystem) or dynamic libs problem.

PS: Please don't cc me. I really do read this list :-)
Marcin Owsiany <marcin@owsiany.pl>              http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216
"Every program in development at MIT expands until it can read mail."
                                                              -- Unknown

Reply to: