Am I Compromised -- More information
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Even after I stop my webserver, I get the perl process to be chewing up 99%
of my cpu cycles.
top - 07:58:28 up 3 days, 8:26, 1 user, load average: 0.96, 1.04, 1.17
Tasks: 56 total, 3 running, 53 sleeping, 0 stopped, 0 zombie
Cpu(s): 84.0% us, 16.0% sy, 0.0% ni, 0.0% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 516156k total, 477684k used, 38472k free, 97492k buffers
Swap: 979924k total, 0k used, 979924k free, 127688k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
28390 www-data 25 0 5760 3812 3444 R 99.4 0.7 48:18.85 perl
1 root 16 0 1504 512 1352 S 0.0 0.1 0:00.52 init
2 root 34 19 0 0 0 S 0.0 0.0 0:00.00 ksoftirqd/0
3 root 5 -10 0 0 0 S 0.0 0.0 0:02.24 events/0
4 root 15 -10 0 0 0 S 0.0 0.0 0:00.00 khelper
5 root 15 -10 0 0 0 S 0.0 0.0 0:00.00 kacpid
41 root 5 -10 0 0 0 S 0.0 0.0 0:02.08 kblockd/0
51 root 15 0 0 0 0 S 0.0 0.0 0:00.00 pdflush
52 root 15 0 0 0 0 S 0.0 0.0 0:01.19 pdflush
54 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 aio/0
53 root 15 0 0 0 0 S 0.0 0.0 0:05.39 kswapd0
190 root 25 0 0 0 0 S 0.0 0.0 0:00.00 kseriod
But `pstree` says there's no apache2 running and that's right:
ns1:/etc/cron.d# pstree
init???atd
??cron
??events/0???aio/0
? ??kacpid
? ??kblockd/0
? ??khelper
? ??2*[pdflush]
But `ps aux | grep -i www-data` results in the following:
ns1:/etc/cron.d# ps aux | grep www-data
www-data 28390 43.8 0.7 5760 3812 ? R 06:08
48:27 /usr/sbin/httpd
root 1550 0.0 0.0 1548 476 pts/0 R+ 07:58 0:00 grep www-data
If there's no /usr/sbin/httpd, how is the process running ?
:-(
Regards,
rrs
- --
Ritesh Raj Sarraf
RESEARCHUT -- http://www.researchut.com
Gnupg Key ID: 04F130BC
"Stealing logic from one person is plagiarism, stealing from many is
research."
"Necessity is the mother of invention."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDhzWj4Rhi6gTxMLwRAg9SAJ962C1aOgOTEI92C7cU4BR5rmspMgCgsCPB
NZtqWgYWFLUs26FwLNijX9w=
=AqcQ
-----END PGP SIGNATURE-----
Reply to: