[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache / exe process taking 99 % cpu

On Tuesday 31 August 2004 03:24, Marcin Owsiany wrote:
> On Tue, Aug 31, 2004 at 12:59:48AM +0200, Timo Veith wrote:
> > On Monday 30 August 2004 21:06, Marcin Owsiany wrote:
> > I added a iptables rule to the OUTPUT chain dropping all tcp packets 
to
> > that box:port and guess what? My server was back idle again. No more 
99 %
> > cpu usage and the process now sits there.
>
> Seems like the process is a DoS zombie. Probably it opened as many
> connections to that machine, as possible, and that caused the heavy CPU
> utilization.

Hmm, there wasn't much network traffic, at least not significantly more 
than some other time. (according to my rrd graphs). There was always only 
one process and right after it died, a new one appeared. Well, I assume 
there actually were two procs for a short time and one started the other.

> > And then it starts again connecting. I think this process tries totalk
> > back to someone? Well, I am only guessing ...
>
> Could be. I would unblock the rule for a while and record some of the
> traffic. Viewing it with something nice like ethereal could provide more
> infomation on the nature of those connections.

I will do this the next time. I rebooted because I wanted to check for a 
rootkit with knoppix. Now everything seems normal again.

> > I burned the image to a cd which I then
> > mounted and tried to excute some of them but I only get "su -: 
Permission
> > denied"
> >
> > root@gandalf [/proc/18305] /mnt/cdrom/statbins/linux2.2_x86/who
> > su: /mnt/cdrom/statbins/linux2.2_x86/who: Permission denied
> > root@gandalf [/proc/18305] uname -r
> > 2.4.27
> >
> > Is it maybe because binaries for linux 2.2 cannot be run on a 2.4 
kernel?
>
> I don't think so. I suspect this is either a permissions (file or
> filesystem) or dynamic libs problem.

Mea culpa! :/
I checked fstab whether there is a noexec flag in the cdrom entry, but 
didn't know that it is implied with the "user" flag.

There's more interessting news:
As I stopped apache, the other apache proc immediately took port 443 and 
listened on it. A little while later also port 80 was in use. I connected 
to both of them with a browser and with telnet but there was no response.

This fact made me think, that someone really hacked me, because port 80 
and 443 can only be opened with root permissions. That's why I shut the 
machine down, booted with knoppix (3.6) and tried chkrootkit. But found 
nothing. :(

I also googled after the ip address of that remote box to which the 
alleged apache proc had a connection and found these links:

http://www.linux.org.ru/view-message.jsp?msgid=632105&back=view-group.jsp%3Fgroup%3D7300
http://www.linux360.ro/forum/archive/o_t/t_4082/proces_care_papa_tot_procesorul_.html

Unfortunately, I don't speak russian or romanian either, but I think they 
describe the same problems like I have. I seems to be a php issue. I 
searched through all php files that "include" or "fopen" something ... 
whew there are way too many.

Any ideas ?

TIA

Timo
Reply to: