kotfare process?

scatchon · Jan 25, 2006

anyone ever see a process called 'kotfare' running on your machine?

it's using almost 100% of the cpu's and has been running for a long time.

plus i can't seem to kill it.

any ideas?

chirpy · Jan 25, 2006

Not one I've come across. What Os are you running and what do you get if you check lsof on the PID of the process:

lsof -p PID

S-Combs · Jan 25, 2006

Might want to look at this thread
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=991357

scatchon · Jan 27, 2006

will do

I had the process killed so I can't get anymore info right now. I will provide more info when it happens again.

thanks for your replies.

TAK · Jan 27, 2006

We had this pop up on a server yesterday - looks a bit nasty. We are currently working on cleaning it up and ensuring that everything is secure. I'll update this thread later with any info that could be of use to others.

scatchon · Jan 28, 2006

found this information

found this and had to translate to english - seems kotfare is a worm:

20-01-2006: Alert of security - worm kotfare
Esteem Cliente,

Recently some servers have been infectados with one worm called "kotfare", this worm explore an imperfection of security, that for that we obtain to select so far, of CMSs of género of Mambo and PHP Nuke, this worm lodge themselves in the system through the apache user and are to listening in door 8350 of its server, waiting instructions on the part of the aggressor launching attacks of flood em.massa.
As result of this activity some servers have generated amounts of traffic very raised that finish for afectar its performance and increasing the use of net AMEN of exponential form.
This problem until seeing, afecta only serving Linux.

For these reasons we ask for to all the customers with Linux servers who make the following verification:

1º accedes through SSH to its Linux server
More information of as to make in: http://www.amen.pt/support/beginners/index.php?cat=743

2º a time logado in the machine as root to verify the existence of this worm will have to execute the following command: ' ps - ef|grep kotfare '

If the result will not be infectado will be identical:
[ root@wpcxxxx root ] # ps - ef|grep kotfare
root 3448 3389 0 16:13 pts/0 00:00:00 grep kotfare

If the result will be infectado will be identical:
[ root@wpcxxxx root ] # ps - ef|grep kotfare
apache 23631 31,5 1,0 7168 2528? R 12:29 47:17 kotfare
apache 26222 43,0 1,1 7328 2868? S 14:58 0:40 kotfare
root 3448 3389 0 16:13 pts/0 00:00:00 grep kotfare

3º in infection case will have to add a rule of firewall executing the following command:

iptables - the INPUT - i eth0 - p tcp -- dport 8350 - j DROP

4º for I finish will have to restart the server and to repeat step 1 and 2 to verify if already is not infectado.

NOTE: for a security guard question it makes this verification with some regularity.

With the best compliments,
It equips of support AMEN Portugal "

killfactor · Feb 3, 2006

English removal instructions kotfare

Anyone know where an English version of these instructions are?

I mean I've given it a go, I've deleted the nasty files and killed the processes 'kotfare' and the like - but I don't really know if thats cleaned it out.

I hate these bored script kiddies who do this!

scatchon · Feb 6, 2006

lsof results

kotfare popped up again. here's what i get when i do the lsof -p PID

perl 21224 nobody cwd DIR 8,5 4096 2 /
perl 21224 nobody rtd DIR 8,5 4096 2 /
perl 21224 nobody txt REG 8,5 1204848 9919629 /usr/bin/perl
perl 21224 nobody mem REG 8,5 48524720 9915710 /usr/lib/locale/locale-archive
perl 21224 nobody mem REG 8,5 21756 10110403 /usr/lib/perl5/5.8.7/x86_64-linux/auto/IO/IO.so
perl 21224 nobody mem REG 8,5 25807 10110148 /usr/lib/perl5/5.8.7/x86_64-linux/auto/Socket/Socket.so
perl 21224 nobody mem REG 8,5 56791 2113563 /lib64/libnss_files-2.3.4.so
perl 21224 nobody mem REG 8,5 105080 2113639 /lib64/ld-2.3.4.so
perl 21224 nobody mem REG 8,5 1489097 2113640 /lib64/tls/libc-2.3.4.so
perl 21224 nobody mem REG 8,5 17943 2113587 /lib64/libdl-2.3.4.so
perl 21224 nobody mem REG 8,5 613297 2113648 /lib64/tls/libm-2.3.4.so
perl 21224 nobody mem REG 8,5 30070 2113748 /lib64/libcrypt-2.3.4.so
perl 21224 nobody mem REG 8,5 107327 2113541 /lib64/libnsl-2.3.4.so
perl 21224 nobody mem REG 8,5 17367 2113751 /lib64/libutil-2.3.4.so
perl 21224 nobody 0r CHR 1,3 1691 /dev/null
perl 21224 nobody 1w FIFO 0,7 31474996 pipe
perl 21224 nobody 2w REG 8,5 30374914 10044858 /usr/local/apache/logs/error_log
perl 21224 nobody 3u IPv4 31475056 TCP server.superiorinternet.com:60083->host58-253.pool82104.interbu siness.it:afs3-fileserver (ESTABLISHED)
perl 21224 nobody 7w FIFO 0,7 24812906 pipe
perl 21224 nobody 8r FIFO 0,7 24812907 pipe
perl 21224 nobody 9u unix 0x000001007eca70c0 31474980 socket
perl 21224 nobody 10r FIFO 0,7 24812908 pipe
perl 21224 nobody 12u unix 0x000001007eb496c0 29694375 socket
perl 21224 nobody 15w REG 8,5 0 10045756 /usr/local/apache/logs/audit_log
perl 21224 nobody 16w REG 8,5 0 10045758 /usr/local/apache/logs/modsec_debug_log
perl 21224 nobody 17w REG 8,5 30374914 10044858 /usr/local/apache/logs/error_log
perl 21224 nobody 20w REG 8,5 0 10063109 /usr/local/apache/domlogs/palmettoexterminators.net-bytes_log
perl 21224 nobody 21w REG 8,5 0 10062663 /usr/local/apache/domlogs/charlestonhomemag.com-bytes_log
perl 21224 nobody 22w REG 8,5 6557 10062653 /usr/local/apache/domlogs/charlestonweddingsmag.com-bytes_log
perl 21224 nobody 23w REG 8,5 0 10063124 /usr/local/apache/domlogs/pintailpartners.com-bytes_log
perl 21224 nobody 24w REG 8,5 0 10063115 /usr/local/apache/domlogs/bluewaterretail.com-bytes_log
perl 21224 nobody 25w REG 8,5 0 10063112 /usr/local/apache/domlogs/thattawaylaw.com-bytes_log
perl 21224 nobody 26w REG 8,5 2674 10062722 /usr/local/apache/domlogs/superiorinternet.com-bytes_log
perl 21224 nobody 27w REG 8,5 49325 10059904 /usr/local/apache/domlogs/charlestonmag.com-bytes_log
perl 21224 nobody 28w REG 8,5 8169 10059842 /usr/local/apache/domlogs/biscuitville.com-bytes_log
perl 21224 nobody 29w REG 8,5 2143 10062892 /usr/local/apache/domlogs/outdooraddiction.com-bytes_log
perl 21224 nobody 30w REG 8,5 1152 10063063 /usr/local/apache/domlogs/innowavesolutions.com-bytes_log
perl 21224 nobody 31w REG 8,5 72 10063056 /usr/local/apache/domlogs/wwservicesinc.com-bytes_log
perl 21224 nobody 32w REG 8,5 0 10063052 /usr/local/apache/domlogs/winningwithclass.com-bytes_log
perl 21224 nobody 33w REG 8,5 36 10063048 /usr/local/apache/domlogs/westlocating.com-bytes_log
perl 21224 nobody 34w REG 8,5 8355 10063044 /usr/local/apache/domlogs/vss.org-bytes_log
perl 21224 nobody 35w REG 8,5 18 10063040 /usr/local/apache/domlogs/vrande.com-bytes_log
perl 21224 nobody 36w REG 8,5 0 10063030 /usr/local/apache/domlogs/embrex.visionairemarketing.com-bytes_ log
perl 21224 nobody 37w REG 8,5 73 10063036 /usr/local/apache/domlogs/visionairemarketing.com-bytes_log
perl 21224 nobody 38w REG 8,5 18 10063026 /usr/local/apache/domlogs/twilightcharleston.com-bytes_log
perl 21224 nobody 39w REG 8,5 234 10063019 /usr/local/apache/domlogs/tomcrowley.net-bytes_log
perl 21224 nobody 40w REG 8,5 0 10063016 /usr/local/apache/domlogs/tnfrenovations.com-bytes_log
perl 21224 nobody 41w REG 8,5 5261 10063012 /usr/local/apache/domlogs/theharborageatashleymarina.com-bytes_ log
perl 21224 nobody 42w REG 8,5 18 10063006 /usr/local/apache/domlogs/theboathouseatgoldenislesmarina.com-b ytes_log
perl 21224 nobody 43w REG 8,5 53 10062999 /usr/local/apache/domlogs/thearty.com-bytes_log
perl 21224 nobody 44w REG 8,5 0 10062989 /usr/local/apache/domlogs/subaoriginal.com-bytes_log
perl 21224 nobody 45w REG 8,5 6040 10062985 /usr/local/apache/domlogs/stmichaelschurch.net-bytes_log
perl 21224 nobody 46w REG 8,5 29629 10062978 /usr/local/apache/domlogs/st-barts.com-bytes_log
perl 21224 nobody 47w REG 8,5 17 10062972 /usr/local/apache/domlogs/soundingboardcgi.com-bytes_log
perl 21224 nobody 48w REG 8,5 17 10062969 /usr/local/apache/domlogs/charlestonsoccerleague.com-bytes_log
perl 21224 nobody 49w REG 8,5 26673 10062959 /usr/local/apache/domlogs/buildingartscollege.us-bytes_log
perl 21224 nobody 50w REG 8,5 306 10062955 /usr/local/apache/domlogs/smithwickdillon.com-bytes_log
perl 21224 nobody 51w REG 8,5 36 10062951 /usr/local/apache/domlogs/shemcreekmarina.com-bytes_log
perl 21224 nobody 52w REG 8,5 23097 10062948 /usr/local/apache/domlogs/scwtc.org-bytes_log
perl 21224 nobody 53w REG 8,5 2130 10062942 /usr/local/apache/domlogs/scseafood.org-bytes_log
perl 21224 nobody 54w REG 8,5 0 10062936 /usr/local/apache/domlogs/saecharleston.com-bytes_log
perl 21224 nobody 55w REG 8,5 15527 10062927 /usr/local/apache/domlogs/charlestonraceweek.com-bytes_log
perl 21224 nobody 56w REG 8,5 1642 10062924 /usr/local/apache/domlogs/precisionflooring.info-bytes_log
perl 21224 nobody 57w REG 8,5 592 10062920 /usr/local/apache/domlogs/powellscale.com-bytes_log
perl 21224 nobody 58w REG 8,5 484 10062917 /usr/local/apache/domlogs/petvetdogdaze.com-bytes_log
perl 21224 nobody 59w REG 8,5 0 10062911 /usr/local/apache/domlogs/perrinandsawin.com-bytes_log
perl 21224 nobody 60w REG 8,5 3304 10062904 /usr/local/apache/domlogs/overflowpro.com-bytes_log
perl 21224 nobody 61w REG 8,5 0 10062897 /usr/local/apache/domlogs/shop.outdooraddiction.com-bytes_log
perl 21224 nobody 62w REG 8,5 2143 10062892 /usr/local/apache/domlogs/outdooraddiction.com-bytes_log
perl 21224 nobody 63w REG 8,5 8218 10062885 /usr/local/apache/domlogs/oldsouthcarriagetours.com-bytes_log

scatchon · Feb 6, 2006

lsof results part 2

continued

perl 21224 nobody 64w REG 8,5 23270 10062878 /usr/local/apache/domlogs/oaksteakhouserestaurant.com-bytes_log
perl 21224 nobody 65w REG 8,5 0 10062865 /usr/local/apache/domlogs/files.nelsonprint.com-bytes_log
perl 21224 nobody 66w REG 8,5 18 10062871 /usr/local/apache/domlogs/nelsonprint.com-bytes_log
perl 21224 nobody 67w REG 8,5 1844 10062862 /usr/local/apache/domlogs/multiplastics.com-bytes_log
perl 21224 nobody 68w REG 8,5 2091 10062858 /usr/local/apache/domlogs/moodyassociates.net-bytes_log
perl 21224 nobody 69w REG 8,5 3829 10062851 /usr/local/apache/domlogs/mksmithbuilders.com-bytes_log
perl 21224 nobody 70w REG 8,5 31720 10062844 /usr/local/apache/domlogs/mccradysrestaurant.com-bytes_log
perl 21224 nobody 71w REG 8,5 3489 10062834 /usr/local/apache/domlogs/charlestonmaritimefestival.com-bytes_ log
perl 21224 nobody 72w REG 8,5 1638 10062830 /usr/local/apache/domlogs/liveoakjams.com-bytes_log
perl 21224 nobody 73w REG 8,5 70 10062823 /usr/local/apache/domlogs/krystaltrough.com-bytes_log
perl 21224 nobody 74w REG 8,5 4788 10062819 /usr/local/apache/domlogs/jlrealestate.com-bytes_log
perl 21224 nobody 75w REG 8,5 3146 10062813 /usr/local/apache/domlogs/jjlrealestate.com-bytes_log
perl 21224 nobody 76w REG 8,5 5938 10062806 /usr/local/apache/domlogs/hometeamcommunications.com-bytes_log
perl 21224 nobody 77w REG 8,5 85 10062799 /usr/local/apache/domlogs/hojocharleston.com-bytes_log
perl 21224 nobody 78w REG 8,5 0 10062795 /usr/local/apache/domlogs/hiecharlestonsouth.com-bytes_log
perl 21224 nobody 79w REG 8,5 35 10062791 /usr/local/apache/domlogs/helphospital.com-bytes_log
perl 21224 nobody 80w REG 8,5 715 10062784 /usr/local/apache/domlogs/gobblemribbz.com-bytes_log
perl 21224 nobody 81w REG 8,5 0 10062777 /usr/local/apache/domlogs/ghpr.net-bytes_log
perl 21224 nobody 82w REG 8,5 529 10062773 /usr/local/apache/domlogs/gettingscrewed.net-bytes_log
perl 21224 nobody 83w REG 8,5 107 10062770 /usr/local/apache/domlogs/geneshaufbrau.com-bytes_log
perl 21224 nobody 84w REG 8,5 221 10062760 /usr/local/apache/domlogs/fsbo-charleston.com-bytes_log
perl 21224 nobody 85w REG 8,5 527 10062756 /usr/local/apache/domlogs/charlestonflorist.com-bytes_log
perl 21224 nobody 86w REG 8,5 25447 10062749 /usr/local/apache/domlogs/fleetlanding.net-bytes_log
perl 21224 nobody 87w REG 8,5 18 10062746 /usr/local/apache/domlogs/fishwhistle.us-bytes_log
perl 21224 nobody 88w REG 8,5 281 10062743 /usr/local/apache/domlogs/fishingcharleston.com-bytes_log
perl 21224 nobody 89w REG 8,5 1249 10062740 /usr/local/apache/domlogs/charlestonsportfishing.com-bytes_log
perl 21224 nobody 90w REG 8,5 0 10062737 /usr/local/apache/domlogs/faulkengolf.com-bytes_log
perl 21224 nobody 91w REG 8,5 608 10062730 /usr/local/apache/domlogs/evpro.com-bytes_log
perl 21224 nobody 92w REG 8,5 0 10062708 /usr/local/apache/domlogs/files.superiorinternet.com-bytes_log
perl 21224 nobody 93w REG 8,5 0 10062690 /usr/local/apache/domlogs/dev.superiorinternet.com-bytes_log
perl 21224 nobody 94w REG 8,5 2674 10062722 /usr/local/apache/domlogs/superiorinternet.com-bytes_log
perl 21224 nobody 95w REG 8,5 18 10059969 /usr/local/apache/domlogs/donovino.com-bytes_log
perl 21224 nobody 96w REG 8,5 51 10059962 /usr/local/apache/domlogs/docebrasilfashion.com-bytes_log
perl 21224 nobody 97w REG 8,5 0 10059958 /usr/local/apache/domlogs/dailymedicineskateboards.com-bytes_lo g
perl 21224 nobody 98w REG 8,5 452 10059951 /usr/local/apache/domlogs/curdbuoy.com-bytes_log
perl 21224 nobody 99w REG 8,5 3312 10059944 /usr/local/apache/domlogs/crewcarolina.com-bytes_log
perl 21224 nobody 100w REG 8,5 15798 10059937 /usr/local/apache/domlogs/cpcc.com-bytes_log
perl 21224 nobody 101w REG 8,5 397 10059931 /usr/local/apache/domlogs/costarica-vacationrental.com-bytes_lo g
perl 21224 nobody 102w REG 8,5 18 10059927 /usr/local/apache/domlogs/cooperdev.com-bytes_log
perl 21224 nobody 103w REG 8,5 0 10059920 /usr/local/apache/domlogs/christanyork.com-bytes_log
perl 21224 nobody 104w REG 8,5 564 10059913 /usr/local/apache/domlogs/chicoraantiques.com-bytes_log
perl 21224 nobody 105w REG 8,5 49325 10059904 /usr/local/apache/domlogs/charlestonmag.com-bytes_log
perl 21224 nobody 106w REG 8,5 38638 10059897 /usr/local/apache/domlogs/charlestonfoodcompany.com-bytes_log
perl 21224 nobody 107w REG 8,5 0 10059894 /usr/local/apache/domlogs/partners.charlestonticket.com-bytes_l og
perl 21224 nobody 108w REG 8,5 0 10059891 /usr/local/apache/domlogs/intranet.charlestonticket.com-bytes_l og
perl 21224 nobody 109w REG 8,5 825 10059885 /usr/local/apache/domlogs/charlestonticket.com-bytes_log
perl 21224 nobody 110w REG 8,5 17 10059881 /usr/local/apache/domlogs/chakerislawfirm.com-bytes_log
perl 21224 nobody 111w REG 8,5 0 10059874 /usr/local/apache/domlogs/cbrowndesign.com-bytes_log
perl 21224 nobody 112w REG 8,5 6696 10059868 /usr/local/apache/domlogs/cbfiredept.com-bytes_log
perl 21224 nobody 113w REG 8,5 0 10059865 /usr/local/apache/domlogs/shop.boathouserestaurants.com-bytes_l og
perl 21224 nobody 114w REG 8,5 0 10059859 /usr/local/apache/domlogs/catering.boathouserestaurants.com-byt es_log
perl 21224 nobody 115w REG 8,5 15253 10059855 /usr/local/apache/domlogs/boathouserestaurants.com-bytes_log
perl 21224 nobody 116w REG 8,5 0 10059848 /usr/local/apache/domlogs/blackdoggproductions.com-bytes_log
perl 21224 nobody 117w REG 8,5 8169 10059842 /usr/local/apache/domlogs/biscuitville.com-bytes_log
perl 21224 nobody 118w REG 8,5 0 10059838 /usr/local/apache/domlogs/biscuitvilleonline.com-bytes_log
perl 21224 nobody 119w REG 8,5 18 10059832 /usr/local/apache/domlogs/bgcreativedesigns.com-bytes_log
perl 21224 nobody 120w REG 8,5 0 10059819 /usr/local/apache/domlogs/babyfoamdome.com-bytes_log
perl 21224 nobody 121w REG 8,5 424 10059813 /usr/local/apache/domlogs/b200.org-bytes_log
perl 21224 nobody 122w REG 8,5 153 10059807 /usr/local/apache/domlogs/ashleymarina.com-bytes_log
perl 21224 nobody 123w REG 8,5 17 10059800 /usr/local/apache/domlogs/apeiromortgage.com-bytes_log
perl 21224 nobody 124w REG 8,5 0 10059796 /usr/local/apache/domlogs/alfasupplyinc.com-bytes_log
perl 21224 nobody 125w REG 8,5 0 10059790 /usr/local/apache/domlogs/ajdcreative.com-bytes_log
perl 21224 nobody 126w REG 8,5 323 10059784 /usr/local/apache/domlogs/abbysbest.com-bytes_log
perl 21224 nobody 127w REG 8,5 1524983 10059787 /usr/local/apache/domlogs/server.superiorinternet.com-bytes_log
perl 21224 nobody 128w REG 8,5 14527 10059788 /usr/local/apache/domlogs/amd64.hostforweb.net-bytes_log
perl 21224 nobody 129w REG 8,5 69527 10044859 /usr/local/apache/logs/ssl_engine_log
perl 21224 nobody 130w REG 8,5 16186 10063068 /usr/local/apache/domlogs/www.superiorinternet.com-ssl_data_log
perl 21224 nobody 131w REG 8,5 2804380 10059910 /usr/local/apache/domlogs/www.charlestonmag.com-ssl_data_log
perl 21224 nobody 132w REG 8,5 114563 10059845 /usr/local/apache/domlogs/www.biscuitville.com-ssl_data_log
perl 21224 nobody 133w REG 8,5 269780 10063066 /usr/local/apache/domlogs/outdooraddiction.com-ssl_data_log
perl 21224 nobody 134w REG 8,5 0 10044062 /usr/local/apache/logs/ssl_mutex.22252
perl 21224 nobody 243w REG 8,5 0 10044062 /usr/local/apache/logs/ssl_mutex.22252

HostMerit · Feb 6, 2006

cd to /proc/21224 and

ls -al and paste the results

cat environ and paste the results.

Also go to /tmp and /dev/shm and do find ./ -user nobody|xargs rm -rf, and then kill the process

I'd suggest arming your server with mod_security ASAP and a ruleset that has blocks for these attacks. I have a thread or two on this forum with my ruleset.

If you'd like me to try and help disinfect your machine, feel free to email me at kris \@/ hostmerit.com

killfactor · Feb 6, 2006

I've added mod_security, apf firewall, and also Rkhunter...

That seems to have helped heaps...

I did all that, deleted all the *.txt files and session files in my /tmp directory, then did a killall -9 perl httpd, service httpd start.,

Server is running okay now... but wow, absolutely killed it last night with kotfare and httpd requests... server load was about around 40 doing a top -c

HostMerit · Feb 6, 2006

make sure nothing else is running by ps -u nobody

Also make sure to drop that port mentioned earlier by default in APF.

Also, grep your domlogs for the filenames found, and see how they were loaded on to the server, and apply some custom mod_security rules.

killfactor · Feb 7, 2006

Hmm!

Still getting lots of httpd being run by 'nobody'.....

pross · Feb 7, 2006

some useful info here...

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=991357

the source http://forum.ev1servers.net/showpost.php?p=374497&postcount=8 and http://forum.ev1servers.net/showpost.php?p=374498&postcount=9

scatchon · Feb 7, 2006

info

here's some more info about what i found out on my server -
this seems to be an exploit through mambo. script kiddies get in that way

I found two txt files in /tmp - mamb0x.txt and xx.txt

I removed these, killed the kotfare process and then did a netstat -antp to check who was connected. turned out this kotfare script/worm allowed dome dude in italy to run a fileserver. I found the IP through netstat and added it to apf firewall. that seems to be keeping them out.

and if you have mambo installed make sure you upgrade to the latest and search to find what the files and folders should be chmod'ed to, to protect yourself.

HostMerit · Feb 7, 2006

SecFilter "xx\.txt"
SecFilter "mamb0x"

Should be fine, I think I already have the xx.txt blocked in my ruleset, and perl\x20 is already in there which would've stopped this spawned shell from running - Of course it's good to keep Mambo up to date, but you never know

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

kotfare process?

scatchon Member

chirpy Well-Known Member

S-Combs Well-Known Member

scatchon Member

TAK Well-Known Member

scatchon Member

killfactor Registered

scatchon Member

scatchon Member

HostMerit Well-Known Member

killfactor Registered

HostMerit Well-Known Member

killfactor Registered

pross Well-Known Member

scatchon Member

HostMerit Well-Known Member

The backup process completed, but 2 errors occurred

Detected 175 processes that are running outdated executables

Long rpm root process?

Question about item in top processes list

Installation process was unable to synchronize error

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

kotfare process?

scatchon Member

chirpy Well-Known Member

S-Combs Well-Known Member

scatchon Member

TAK Well-Known Member

scatchon Member

killfactor Registered

scatchon Member

scatchon Member

HostMerit Well-Known Member

killfactor Registered

HostMerit Well-Known Member

killfactor Registered

pross Well-Known Member

scatchon Member

HostMerit Well-Known Member

The backup process completed, but 2 errors occurred

Detected 175 processes that are running outdated executables

Long rpm root process?

Question about item in top processes list

Installation process was unable to synchronize error

Share This Page