Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

nobody process attached to syslogd+Server Load too HIGH

Discussion in 'General Discussion' started by madan.cpanelnet, Sep 18, 2006.

  1. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    INDIA
    nobody process attached to syslogd+Server Load too HIGH

    Any ideas please? .... cannot find any open files attached.
     
    #1 madan.cpanelnet, Sep 18, 2006
  2. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    INDIA
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    perl 25259 nobody cwd DIR 3,3 4096 2 /
    perl 25259 nobody rtd DIR 3,3 4096 2 /
    perl 25259 nobody txt REG 3,3 1002181 59385 /usr/bin/perl
    perl 25259 nobody mem REG 3,3 75050 106408 /lib/libresolv-2.3.2.so
    perl 25259 nobody mem REG 3,3 17561 106393 /lib/libnss_dns-2.3.2.so
    perl 25259 nobody mem REG 3,3 50783 128235 /lib/libnss_files-2.3.2.so
    perl 25259 nobody mem REG 3,3 24582 75799 /usr/lib/perl5/5.8.1/i686-linux/auto/Socket/Socket.so
    perl 25259 nobody mem REG 3,3 17474 75608 /usr/lib/perl5/5.8.1/i686-linux/auto/IO/IO.so
    perl 25259 nobody mem REG 3,3 32148976 90860 /usr/lib/locale/locale-archive
    perl 25259 nobody mem REG 3,3 1516255 128739 /lib/tls/libc-2.3.2.so
    perl 25259 nobody mem REG 3,3 11375 106423 /lib/libutil-2.3.2.so
    perl 25259 nobody mem REG 3,3 22242 106268 /lib/libcrypt-2.3.2.so
    perl 25259 nobody mem REG 3,3 185942 128745 /lib/tls/libm-2.3.2.so
    perl 25259 nobody mem REG 3,3 13601 127668 /lib/libdl-2.3.2.so
    perl 25259 nobody mem REG 3,3 87563 128060 /lib/libnsl-2.3.2.so
    perl 25259 nobody mem REG 3,3 19641 112475 /lib/libsafe.so.2.0.16
    perl 25259 nobody mem REG 3,3 102480 106050 /lib/ld-2.3.2.so
    perl 25259 nobody 0r CHR 1,3 8395 /dev/null
    perl 25259 nobody 1w FIFO 0,5 20074316 pipe
    perl 25259 nobody 2w REG 3,3 24288296 92042 /usr/local/apache/logs/error_log
    perl 25259 nobody 3u IPv4 20324504 TCP myserver( I 've changed the name):53142->pool-71-250-26-222.nwrknj.e
    ast.verizon.net:ircd (ESTABLISHED)
    perl 25259 nobody 6u REG 7,0 0 27 /tmp/ZCUDQdIbeA (deleted)
    perl 25259 nobody 7r FIFO 0,5 19853479 pipe
    perl 25259 nobody 8u unix 0xda542d00 14863818 socket
    perl 25259 nobody 9r FIFO 0,5 15775422 pipe
    perl 25259 nobody 10u unix 0xeed8c180 15778997 socket
    perl 25259 nobody 11r FIFO 0,5 17319214 pipe
    perl 25259 nobody 12r FIFO 0,5 17392684 pipe
    perl 25259 nobody 13r FIFO 0,5 17395745 pipe
    perl 25259 nobody 14r FIFO 0,5 17395904 pipe
    perl 25259 nobody 15w REG 3,3 24288296 92042 /usr/local/apache/logs/error_log
     
    #2 madan.cpanelnet, Sep 18, 2006
  3. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    INDIA
    The above seems to me an IRCD attack;

    I 've dropped ircd port --------->


    root@myserver [~]# iptables -A INPUT -p tcp --destination-port ircd -j DROP
    root@myserver [~]# iptables -A FORWARD -p tcp --destination-port ircd -j DROP




    Please share your thoughts and advise.
     
    #3 madan.cpanelnet, Sep 18, 2006
  4. TheSpidre

    TheSpidre Active Member

    Joined:
    Mar 10, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    156
    I had the exact same problem on a server.

    The disturbing thing is, the hacker includes a premade script that runs something like this:
    wget somescript.pl to /tmp
    perl somescript.pl
    rm -f somescript.pl

    And then, no clue, nothing!! The only solutions are running phpsuexec (even if temporary to find out what username it used) or doing an extensive search through the modsec rules to kill any accounts that have insecure scripts installed.
     
    #4 TheSpidre, Sep 19, 2006
  5. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Brasil
    I had the exact same problem on a server.

    Konrath
     
    #5 konrath, Sep 20, 2006
  6. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Brasil

    Fixed !

    Remove all component com_extcalendar from joomla. :D

    in ssh

    locate com_extcalendar

    Konrath
     
    #6 konrath, Sep 23, 2006
  7. tweakservers

    tweakservers Well-Known Member

    Joined:
    Mar 30, 2006
    Messages:
    379
    Likes Received:
    0
    Trophy Points:
    166
    yeah.. saw some of this attack on some of Cpanel box which we have managed to block it using mod_security rules
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 tweakservers, Sep 23, 2006
  8. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    INDIA
    What filtering rules did you set in modsec?
     
    #8 madan.cpanelnet, Oct 30, 2006
  9. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    655
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    Mambo/Joomla has about 1/2 page of rules that I've created so it's not just one rule heh :D Since there are tons of exploits for this software.

    Nobody Check can also alert you of thse fake processes FYI.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #9 ramprage, Oct 31, 2006
  10. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    INDIA
    NOBODY and BASH ( process )

    If you see nobody user glued to process named bash... you may try to locate any of these files.... ofcouse you can always lsof.

    Here is what I found out of an lsof of nobody user glued to process named bash ---->

    -rw-r--r-- 1 nobody nobody 73819 Oct 21 2005 convertxdccfile
    -rw-r--r-- 1 nobody nobody 15 Jan 17 2005 .cset_number
    -rw-r--r-- 1 nobody nobody 942 Jan 17 2005 dynip.sh
    -rwxr-xr-x 1 nobody nobody 240763 Oct 21 2005 httpd*
    -rw-r--r-- 1 nobody nobody 0 Nov 5 04:28 Infodll.state
    -rw-r--r-- 1 nobody nobody 1100 Nov 5 13:10 mybot.state
    -rw-r--r-- 1 nobody nobody 1100 Nov 5 13:07 mybot.state~
    -rw-r--r-- 1 nobody nobody 240795 Oct 21 2005 xdc_chroot
    -rw-r--r-- 1 nobody nobody 857 Jan 17 2005 xdc.cron
    -rwxr-xr-x 1 nobody nobody 324 Nov 5 04:28 xh*


    The best way to track malicous nobody scripts is to use the following command...

    root@server1 [~]# lsof -u nobody | grep cwd

    which shows the current working dir of open files attached to nobody user.
     
    #10 madan.cpanelnet, Nov 7, 2006
  11. networxhosting

    networxhosting Well-Known Member
    PartnerNOC

    Joined:
    Apr 22, 2003
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Hamilton, Ontario, CANADA
    I have a hacker that running stuff that I believe is being run via php but I am having trouble isolating which account he's exploiting. I have told php to not permit most of the commands that would allow system calls (save exec which is needed for coppermine gallery.)

    He originally was running perl as nobody but now he's running perl from a bash session so ps lists bash running as nobody.

    I have looked in the proc directory for the process, run lsof but that is giving me no indication of what php script he's exploiting.

    What's the next step?
     
    #11 networxhosting, Nov 7, 2006
  12. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    INDIA
    lsof -u nobody | grep cwd

    lists you the directory from where the malicious scripts are running. They donot list the filename(s). You will have to indetify them yourself... if they are thirdparty softwares glued to cpanel/fantastico ... an upgrade of those software may help... dont forget to backup before upgrade.

    Did you have the securenobody rpm installed on your server? There are various other tricks that can be found by googling... or in http://webhostgear.com/


    You may also need to add more modsec rules. etc.
     
    #12 madan.cpanelnet, Nov 8, 2006
  13. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    166
    Could you please tell more about:

    securenobody.rpm

    ?

    I can not find anything about it.
     
    #13 netlook, Nov 25, 2006
  14. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    4
    Trophy Points:
    193
    Location:
    Minneapolis, MN
    You have to have the proper tools to pinpoint the bad/insecure scripts. In addition, securing and hardening your server is a must to minimize or completely stop malicious attacks against your server. It is really hard to say what the cause is without looking into the server. Point your browser at: http://www.servertune.com/kbase/security/server_load.html and http://www.servertune.com/kbase/security/concept.html
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #14 AndyReed, Nov 25, 2006
    Last edited: Nov 25, 2006
  15. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    655
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    I think they're referring to : Nobody Check security tool available at http://www.webhostgear.com/353.html
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #15 ramprage, Nov 25, 2006
  16. sampride

    sampride Member

    Joined:
    Jul 8, 2005
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    151
    ramprage , can you share with us your mod_security rules for joomla/mambo?
     
    #16 sampride, Nov 28, 2006
(You must log in or sign up to post here.)
Loading...
Similar Threads - nobody process attached
  1. rasanjanad

    High Server Load & Nobody Process

    rasanjanad, Nov 28, 2017, in forum: Workarounds and Optimization
    Replies:
    2
    Views:
    713
    cPanelMichael
    Nov 28, 2017
  2. Bdzzld

    Processes run by nobody

    Bdzzld, Oct 28, 2016, in forum: EasyApache
    Replies:
    6
    Views:
    1,072
    cPanelMichael
    Nov 1, 2016
  3. mythosis

    Nobody High CPU HTTPD

    mythosis, Jul 25, 2018, in forum: EasyApache
    Replies:
    5
    Views:
    247
    cPanelMichael
    Jul 31, 2018
  4. psm

    Nobody user taking up 300% CPU?

    psm, Jun 21, 2018, in forum: Security
    Replies:
    4
    Views:
    162
    cPanelMichael
    Jun 22, 2018
  5. The Emperor

    The server’s hostname conflicts with domain ownership for the user “nobody”

    The Emperor, Jun 4, 2018, in forum: Bind/DNS/Nameserver
    Replies:
    14
    Views:
    411
    cPanelLauren
    Jun 11, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice