Re: Am I Compromised -- More information

To: debian-user@lists.debian.org
Subject: Re: Am I Compromised -- More information
From: Steve Block <scblock@ev-15.com>
Date: Mon, 28 Nov 2005 08:15:06 -0600
Message-id: <[🔎] 20051128141506.GB17598@fornost.com>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] dm7cja$k2e$3@sea.gmane.org>
References: <[🔎] dm7cja$k2e$3@sea.gmane.org>

On Fri, Nov 25, 2005 at 09:32:43PM +0530, Ritesh Raj Sarraf wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Even after I stop my webserver, I get the perl process to be chewing up 99%
of my cpu cycles.

top - 07:58:28 up 3 days,  8:26,  1 user,  load average: 0.96, 1.04, 1.17
Tasks:  56 total,   3 running,  53 sleeping,   0 stopped,   0 zombie
Cpu(s): 84.0% us, 16.0% sy,  0.0% ni,  0.0% id,  0.0% wa,  0.0% hi,  0.0% si
Mem:    516156k total,   477684k used,    38472k free,    97492k buffers
Swap:   979924k total,        0k used,   979924k free,   127688k cached

 PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
28390 www-data  25   0  5760 3812 3444 R 99.4  0.7  48:18.85 perl
   1 root      16   0  1504  512 1352 S  0.0  0.1   0:00.52 init
   2 root      34  19     0    0    0 S  0.0  0.0   0:00.00 ksoftirqd/0
   3 root       5 -10     0    0    0 S  0.0  0.0   0:02.24 events/0
   4 root      15 -10     0    0    0 S  0.0  0.0   0:00.00 khelper
   5 root      15 -10     0    0    0 S  0.0  0.0   0:00.00 kacpid
  41 root       5 -10     0    0    0 S  0.0  0.0   0:02.08 kblockd/0
  51 root      15   0     0    0    0 S  0.0  0.0   0:00.00 pdflush
  52 root      15   0     0    0    0 S  0.0  0.0   0:01.19 pdflush
  54 root       5 -10     0    0    0 S  0.0  0.0   0:00.00 aio/0
  53 root      15   0     0    0    0 S  0.0  0.0   0:05.39 kswapd0
 190 root      25   0     0    0    0 S  0.0  0.0   0:00.00 kseriod


But `pstree` says there's no apache2 running and that's right:

ns1:/etc/cron.d# pstree
init???atd
    ??cron
    ??events/0???aio/0
    ?          ??kacpid
    ?          ??kblockd/0
    ?          ??khelper
    ?          ??2*[pdflush]


But `ps aux | grep -i www-data` results in the following:

ns1:/etc/cron.d# ps aux | grep www-data

www-data 28390 43.8 0.7 5760 3812 ? R 06:0848:27 /usr/sbin/httpd

root      1550  0.0  0.0  1548  476 pts/0    R+   07:58   0:00 grep www-data



If there's no /usr/sbin/httpd, how is the process running ?

httpd is the parent process of that perl process that is eating all ofyour processor. If you kill the perl process I think you'll find thathttpd is no longer running anywhere.

As to are you compromised, probably, but since www-data is a limitedaccount the damage should be limited to world writeable directories suchas /tmp and /var/tmp unless a local compromise was used to gain higherlevel access.

The likely culprit here is not apache itself, but a vulnerable script,such as an older version of the php xmlrpc script. Are you running anyphp based content management systems such as drupal?


--
Steve Block
http://ev-15.com/
http://steveblock.com/
scblock@ev-15.com

Reply to:

References:
- Am I Compromised -- More information
  - From: Ritesh Raj Sarraf <rrs@researchut.com>

Prev by Date: What's that displayed on 'top'?
Next by Date: Re: What's that displayed on 'top'?
Previous by thread: Am I Compromised -- More information
Next by thread: Am I Compromised -- Some interesting findings
Index(es):
- Date
- Thread