nobody process attached to syslogd+Server Load too HIGH

nobody process attached to syslogd+Server Load too HIGH

Any ideas please? .... cannot find any open files attached.

 

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 25259 nobody cwd DIR 3,3 4096 2 /
perl 25259 nobody rtd DIR 3,3 4096 2 /
perl 25259 nobody txt REG 3,3 1002181 59385 /usr/bin/perl
perl 25259 nobody mem REG 3,3 75050 106408 /lib/libresolv-2.3.2.so
perl 25259 nobody mem REG 3,3 17561 106393 /lib/libnss_dns-2.3.2.so
perl 25259 nobody mem REG 3,3 50783 128235 /lib/libnss_files-2.3.2.so
perl 25259 nobody mem REG 3,3 24582 75799 /usr/lib/perl5/5.8.1/i686-linux/auto/Socket/Socket.so
perl 25259 nobody mem REG 3,3 17474 75608 /usr/lib/perl5/5.8.1/i686-linux/auto/IO/IO.so
perl 25259 nobody mem REG 3,3 32148976 90860 /usr/lib/locale/locale-archive
perl 25259 nobody mem REG 3,3 1516255 128739 /lib/tls/libc-2.3.2.so
perl 25259 nobody mem REG 3,3 11375 106423 /lib/libutil-2.3.2.so
perl 25259 nobody mem REG 3,3 22242 106268 /lib/libcrypt-2.3.2.so
perl 25259 nobody mem REG 3,3 185942 128745 /lib/tls/libm-2.3.2.so
perl 25259 nobody mem REG 3,3 13601 127668 /lib/libdl-2.3.2.so
perl 25259 nobody mem REG 3,3 87563 128060 /lib/libnsl-2.3.2.so
perl 25259 nobody mem REG 3,3 19641 112475 /lib/libsafe.so.2.0.16
perl 25259 nobody mem REG 3,3 102480 106050 /lib/ld-2.3.2.so
perl 25259 nobody 0r CHR 1,3 8395 /dev/null
perl 25259 nobody 1w FIFO 0,5 20074316 pipe
perl 25259 nobody 2w REG 3,3 24288296 92042 /usr/local/apache/logs/error_log
perl 25259 nobody 3u IPv4 20324504 TCP myserver( I 've changed the name):53142->pool-71-250-26-222.nwrknj.e
ast.verizon.net:ircd (ESTABLISHED)
perl 25259 nobody 6u REG 7,0 0 27 /tmp/ZCUDQdIbeA (deleted)
perl 25259 nobody 7r FIFO 0,5 19853479 pipe
perl 25259 nobody 8u unix 0xda542d00 14863818 socket
perl 25259 nobody 9r FIFO 0,5 15775422 pipe
perl 25259 nobody 10u unix 0xeed8c180 15778997 socket
perl 25259 nobody 11r FIFO 0,5 17319214 pipe
perl 25259 nobody 12r FIFO 0,5 17392684 pipe
perl 25259 nobody 13r FIFO 0,5 17395745 pipe
perl 25259 nobody 14r FIFO 0,5 17395904 pipe
perl 25259 nobody 15w REG 3,3 24288296 92042 /usr/local/apache/logs/error_log

 

The above seems to me an IRCD attack;

I 've dropped ircd port --------->


root@myserver [~]# iptables -A INPUT -p tcp --destination-port ircd -j DROP
root@myserver [~]# iptables -A FORWARD -p tcp --destination-port ircd -j DROP




Please share your thoughts and advise.

 

What filtering rules did you set in modsec?

 

NOBODY and BASH ( process )

If you see nobody user glued to process named bash... you may try to locate any of these files.... ofcouse you can always lsof.

Here is what I found out of an lsof of nobody user glued to process named bash ---->

-rw-r--r-- 1 nobody nobody 73819 Oct 21 2005 convertxdccfile
-rw-r--r-- 1 nobody nobody 15 Jan 17 2005 .cset_number
-rw-r--r-- 1 nobody nobody 942 Jan 17 2005 dynip.sh
-rwxr-xr-x 1 nobody nobody 240763 Oct 21 2005 httpd*
-rw-r--r-- 1 nobody nobody 0 Nov 5 04:28 Infodll.state
-rw-r--r-- 1 nobody nobody 1100 Nov 5 13:10 mybot.state
-rw-r--r-- 1 nobody nobody 1100 Nov 5 13:07 mybot.state~
-rw-r--r-- 1 nobody nobody 240795 Oct 21 2005 xdc_chroot
-rw-r--r-- 1 nobody nobody 857 Jan 17 2005 xdc.cron
-rwxr-xr-x 1 nobody nobody 324 Nov 5 04:28 xh*


The best way to track malicous nobody scripts is to use the following command...

root@server1 [~]# lsof -u nobody | grep cwd

which shows the current working dir of open files attached to nobody user.

 

lsof -u nobody | grep cwd

lists you the directory from where the malicious scripts are running. They donot list the filename(s). You will have to indetify them yourself... if they are thirdparty softwares glued to cpanel/fantastico ... an upgrade of those software may help... dont forget to backup before upgrade.

Did you have the securenobody rpm installed on your server? There are various other tricks that can be found by googling... or in http://webhostgear.com/


You may also need to add more modsec rules. etc.