Re: apache / exe process taking 99 % cpu
On Tuesday 31 August 2004 03:24, Marcin Owsiany wrote:
> On Tue, Aug 31, 2004 at 12:59:48AM +0200, Timo Veith wrote:
> > On Monday 30 August 2004 21:06, Marcin Owsiany wrote:
> > I added a iptables rule to the OUTPUT chain dropping all tcp packets
> > that box:port and guess what? My server was back idle again. No more
> > cpu usage and the process now sits there.
> Seems like the process is a DoS zombie. Probably it opened as many
> connections to that machine, as possible, and that caused the heavy CPU
Hmm, there wasn't much network traffic, at least not significantly more
than some other time. (according to my rrd graphs). There was always only
one process and right after it died, a new one appeared. Well, I assume
there actually were two procs for a short time and one started the other.
> > And then it starts again connecting. I think this process tries totalk
> > back to someone? Well, I am only guessing ...
> Could be. I would unblock the rule for a while and record some of the
> traffic. Viewing it with something nice like ethereal could provide more
> infomation on the nature of those connections.
I will do this the next time. I rebooted because I wanted to check for a
rootkit with knoppix. Now everything seems normal again.
> > I burned the image to a cd which I then
> > mounted and tried to excute some of them but I only get "su -:
> > denied"
> > root@gandalf [/proc/18305] /mnt/cdrom/statbins/linux2.2_x86/who
> > su: /mnt/cdrom/statbins/linux2.2_x86/who: Permission denied
> > root@gandalf [/proc/18305] uname -r
> > 2.4.27
> > Is it maybe because binaries for linux 2.2 cannot be run on a 2.4
> I don't think so. I suspect this is either a permissions (file or
> filesystem) or dynamic libs problem.
Mea culpa! :/
I checked fstab whether there is a noexec flag in the cdrom entry, but
didn't know that it is implied with the "user" flag.
There's more interessting news:
As I stopped apache, the other apache proc immediately took port 443 and
listened on it. A little while later also port 80 was in use. I connected
to both of them with a browser and with telnet but there was no response.
This fact made me think, that someone really hacked me, because port 80
and 443 can only be opened with root permissions. That's why I shut the
machine down, booted with knoppix (3.6) and tried chkrootkit. But found
I also googled after the ip address of that remote box to which the
alleged apache proc had a connection and found these links:
Unfortunately, I don't speak russian or romanian either, but I think they
describe the same problems like I have. I seems to be a php issue. I
searched through all php files that "include" or "fopen" something ...
whew there are way too many.
Any ideas ?