Server compromised or what?
Hello,
Today I found that nobody user was running this command: (from WHM)
/hsphere/shared/apache/bin/httpd -DSSL
Top shows it as perl ...
And it has been using 90+% of cpu all the time and I was not able to identify the user who did it. Also no such directory exists on the server so howcome it was running?
Any ideas?
Last edited by mike_r; 12-20-2004 at 10:16 PM.
You may want to hire someone who is familiar with linux security and can find out if a process is 'bad' and just trying to look like a legitimate program.
Are you running H-Sphere?
If so, then you have nothing to worry about. The process should be run as nobody. There should be one process like that as "root", and several child processes like that run as "nobody". It is simply the Apache webserver. If it is somehow compromised, the hacker gets as much access as the user "nobody", being essentially nothing. If all of the child processes were run as root, and was exploited, a hacker could gain complete access instead of a "dead end".
It look weird to me because I am not running hspehere.... I think someone compiled the apache of hsphere on the server inorder to run apache on another port for some other purpose..
I vaguely remember someone else (I think on these forums) reporting a similar thing... a program named apache running from an hsphere directory, when there was nothing relating to hsphere on the server.
Remember that you can name a program anything you want... so it's quite unlikely that this is really apache, if it is a hack program. It's more likely that it's an irc server, or maybe a DOS program, or something similar.
I have seen so many names for DDS and IRC programs on servers we manage. Your server might be and will be exploited, unless you protect it.
FYI:
Exploit is way of breaking into a system. An exploit takes advantage of a weakness in a system in order to hack it. Exploits are the root of the hacker culture. Hackers gain fame by discovering an exploit. Others gain fame by writing scripts for it. Legions of script-kiddies apply the exploit to millions of systems, whether it makes sense or not. Since people make the same mistakes over-and-over, exploits for very different systems start to look very much like each other. Most exploits can be classified under major categories: buffer overflow, directory climbing, defaults, Denial of Service.
Hope this helps!
Andy Reed
CCNA, RHCE, and Ubuntu Technologist
ServerTune.com
Kill it, terminate user.Originally Posted by mike_r
you might be compromised
An earlier poster indicated that the hsphere processes may be evidence of a hack.
I had 3 servers (php 4.3.10 on all, phpBB 2.0.11 available but not forced on the customers) pop up with several of those process exactly as you did, running as nobody and appearing as perl in top. In the tmp directory on those servers, I found bots, worms, and new index pages, so it appears to be part of an outgoing hack after phpBB is compromised on a machine.
Once I chowned and chmod and moved those bot and worm files, several wget commands popped up attempting to get those same files and place them into /tmp.
I blocked the IP of the domain listed in the wget, but the processes didn't stop regenerating. I used the PID's to find the user in "apache status" in WHM, and then either disabled (if the customer hadn't used our cpanel to install their BB) the BB or forced an upgrade through the customer's cpanel view. All wget processes immediately ceased in the upgrade scenario, and they stopped regenerating in the disable version.
I didn't find any evidence of removing the customer's site files, but you may want to check your /tmp directory, and you may want to make sure all phpBB's are up to date.
If anybody can shed further light on this, I'd appreciate the info.
I also noticed a large server load with this running as the top process:
/hsphere/shared/apache/bin/httpd -DSSL
Just this morning.
There was also an RPM installed last night:
/usr/lib/rpm/rpmq -q --all --qf %{name}-%{version}-%{release}.%{arch}.rpm\n
So I don't know if this is an exploit or the result of a Cpanel update gone awry.
I believe this has to do with the phpbb exploit and the Santy worm.
Thats a little extreme. Its like taking out the lungs to cure someone with an infection in their chest.
Beau Henderson
i'm having the exact same problem
also, I noticed in my /tmp directory the following files among others: bot.txt unbot.txt worm.txt unworm.txt ...
Yep thats most likely the phpBB worm, i've been seeing all sorts of varients, using different search engines, their sprouting like wildfire.
Have a look at this for some tips and info:
http://www.webhostingtalk.com/showth...hreadid=355874
and
http://www.webhostingtalk.com/showth...hreadid=355810
Beau Henderson
Hello,
Got it here too check your error_log i got some sites from
root@serv [~]# lsof | grep ESTABLISHED
sshd 15813 root 4u IPv4 77912 TCP serv.ocservers.net:ssh->NOCStaff.ocservers.net:4539 (ESTABLISHED)
perl 25845 nobody 3u IPv4 218519 TCP serv.ocservers.net:34161->lemming.euronet.nl:ircd (ESTABLISHED)
perl 26737 nobody 3u IPv4 377479 TCP serv.ocservers.net:34385->irc2.saunalahti.fi:ircd (ESTABLISHED)
perl 26744 nobody 3u IPv4 301254 TCP serv.ocservers.net:34367->irc2.saunalahti.fi:ircd (ESTABLISHED)
exim 27036 mailnull 1u IPv4 378079 TCP 216-73-121-41.ocdc-01.net:smtp->203.237.69.105:3230 (ESTABLISHED)
exim 27036 mailnull 2u IPv4 378079 TCP 216-73-121-41.ocdc-01.net:smtp->203.237.69.105:3230 (ESTABLISHED)
exim 27337 mailnull 1u IPv4 378993 TCP 216-73-121-41.ocdc-01.net:smtp->218.39.128.231:2833 (ESTABLISHED)
exim 27337 mailnull 2u IPv4 378993 TCP 216-73-121-41.ocdc-01.net:smtp->218.39.128.231:2833 (ESTABLISHED)
exim 27355 mailnull 1u IPv4 379041 TCP 216-73-121-41.ocdc-01.net:smtp->202.179.67.57:1497 (ESTABLISHED)
exim 27355 mailnull 2u IPv4 379041 TCP 216-73-121-41.ocdc-01.net:smtp->202.179.67.57:1497 (ESTABLISHED)
exim 27399 mailnull 1u IPv4 384135 TCP 216-73-121-41.ocdc-01.net:smtp->69-166-153-51.clvdoh.adelphia.net:4564 (ESTABLISHED)
exim 27399 mailnull 2u IPv4 384135 TCP 216-73-121-41.ocdc-01.net:smtp->69-166-153-51.clvdoh.adelphia.net:4564 (ESTABLISHED)
exim 27402 mailnull 1u IPv4 384139 TCP 216-73-121-41.ocdc-01.net:smtp->adsl-68-255-228-234.dsl.bcvloh.ameritech.net:2810 (ESTABLISHED)
exim 27402 mailnull 2u IPv4 384139 TCP 216-73-121-41.ocdc-01.net:smtp->adsl-68-255-228-234.dsl.bcvloh.ameritech.net:2810 (ESTABLISHED)
exim 27456 mailnull 1u IPv4 384303 TCP 216-73-121-55.ocdc-01.net:smtp->wbar19.dal1-4.29.156.157.dal1.dsl-verizon.net:3785 (ESTABLISHED)
exim 27456 mailnull 2u IPv4 384303 TCP 216-73-121-55.ocdc-01.net:smtp->wbar19.dal1-4.29.156.157.dal1.dsl-verizon.net:3785 (ESTABLISHED)
root@serv [~]# kill 25845
root@serv [~]# kill 26737
root@serv [~]# kill 26744
root@serv [~]# lsof | grep ESTABLISHED
http://www.webmaster-it.it/terrorbot.txt
http://www.webmaster-it.it/terrorworm.txt
Country: ITALY
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
inetnum: 212.25.160.0 - 212.25.165.255
netname: SEEWEB-NET
descr: SEEWEB Hosting Company
country: IT
admin-c: AB91-RIPE
tech-c: AB91-RIPE
status: ASSIGNED PA
notify: ********@seeweb.it
mnt-by: SEEWEB-MNT
changed: ********@seeweb.it 20020602
source: RIPE
route: 212.25.160.0/19
descr: STT Sviluppo Tecnologie Telematiche avanzate srl
origin: AS12637
mnt-by: AS1267-MNT
changed: ********@ripe.net 19991014
source: RIPE
person: Antonio Baldassarra
address: SEEWEB Hosting Company
address: C.so Lazio, 9/a
address: I - 03100 - Frosinone
address: Italy
phone: +39 0775 880041
fax-no: +39 0775 830054
e-mail: ********@seeweb.it
nic-hdl: AB91-RIPE
changed: ********@seeweb.it 20011126
source: RIPE
Yes it looks like the phpBB worm. Upgrade any phpBB installs to 2.0.11. If you don;t want to upgrade, follow instructions to fix the viewtopic bug (which I believe is the proble, if my memory serves me).
LinkBack URL
About LinkBacks
Reply With Quote