nobody process attached to syslogd+Server Load too HIGH

madan.cpanelnet

Well-Known Member
Apr 1, 2006
69
0
156
INDIA
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 25259 nobody cwd DIR 3,3 4096 2 /
perl 25259 nobody rtd DIR 3,3 4096 2 /
perl 25259 nobody txt REG 3,3 1002181 59385 /usr/bin/perl
perl 25259 nobody mem REG 3,3 75050 106408 /lib/libresolv-2.3.2.so
perl 25259 nobody mem REG 3,3 17561 106393 /lib/libnss_dns-2.3.2.so
perl 25259 nobody mem REG 3,3 50783 128235 /lib/libnss_files-2.3.2.so
perl 25259 nobody mem REG 3,3 24582 75799 /usr/lib/perl5/5.8.1/i686-linux/auto/Socket/Socket.so
perl 25259 nobody mem REG 3,3 17474 75608 /usr/lib/perl5/5.8.1/i686-linux/auto/IO/IO.so
perl 25259 nobody mem REG 3,3 32148976 90860 /usr/lib/locale/locale-archive
perl 25259 nobody mem REG 3,3 1516255 128739 /lib/tls/libc-2.3.2.so
perl 25259 nobody mem REG 3,3 11375 106423 /lib/libutil-2.3.2.so
perl 25259 nobody mem REG 3,3 22242 106268 /lib/libcrypt-2.3.2.so
perl 25259 nobody mem REG 3,3 185942 128745 /lib/tls/libm-2.3.2.so
perl 25259 nobody mem REG 3,3 13601 127668 /lib/libdl-2.3.2.so
perl 25259 nobody mem REG 3,3 87563 128060 /lib/libnsl-2.3.2.so
perl 25259 nobody mem REG 3,3 19641 112475 /lib/libsafe.so.2.0.16
perl 25259 nobody mem REG 3,3 102480 106050 /lib/ld-2.3.2.so
perl 25259 nobody 0r CHR 1,3 8395 /dev/null
perl 25259 nobody 1w FIFO 0,5 20074316 pipe
perl 25259 nobody 2w REG 3,3 24288296 92042 /usr/local/apache/logs/error_log
perl 25259 nobody 3u IPv4 20324504 TCP myserver( I 've changed the name):53142->pool-71-250-26-222.nwrknj.e
ast.verizon.net:ircd (ESTABLISHED)
perl 25259 nobody 6u REG 7,0 0 27 /tmp/ZCUDQdIbeA (deleted)
perl 25259 nobody 7r FIFO 0,5 19853479 pipe
perl 25259 nobody 8u unix 0xda542d00 14863818 socket
perl 25259 nobody 9r FIFO 0,5 15775422 pipe
perl 25259 nobody 10u unix 0xeed8c180 15778997 socket
perl 25259 nobody 11r FIFO 0,5 17319214 pipe
perl 25259 nobody 12r FIFO 0,5 17392684 pipe
perl 25259 nobody 13r FIFO 0,5 17395745 pipe
perl 25259 nobody 14r FIFO 0,5 17395904 pipe
perl 25259 nobody 15w REG 3,3 24288296 92042 /usr/local/apache/logs/error_log
 

TheSpidre

Active Member
Mar 10, 2003
36
0
156
I had the exact same problem on a server.

The disturbing thing is, the hacker includes a premade script that runs something like this:
wget somescript.pl to /tmp
perl somescript.pl
rm -f somescript.pl

And then, no clue, nothing!! The only solutions are running phpsuexec (even if temporary to find out what username it used) or doing an extensive search through the modsec rules to kill any accounts that have insecure scripts installed.
 

konrath

Well-Known Member
May 3, 2005
366
1
166
Brasil
madan.cpanelnet said:
nobody process attached to syslogd+Server Load too HIGH

Any ideas please? .... cannot find any open files attached.

Fixed !

Remove all component com_extcalendar from joomla. :D

in ssh

locate com_extcalendar

Konrath
 

tweakservers

Well-Known Member
Mar 30, 2006
379
0
166
yeah.. saw some of this attack on some of Cpanel box which we have managed to block it using mod_security rules
 

ramprage

Well-Known Member
Jul 21, 2002
651
0
166
Canada
Mambo/Joomla has about 1/2 page of rules that I've created so it's not just one rule heh :D Since there are tons of exploits for this software.

Nobody Check can also alert you of thse fake processes FYI.
 

madan.cpanelnet

Well-Known Member
Apr 1, 2006
69
0
156
INDIA
NOBODY and BASH ( process )

If you see nobody user glued to process named bash... you may try to locate any of these files.... ofcouse you can always lsof.

Here is what I found out of an lsof of nobody user glued to process named bash ---->

-rw-r--r-- 1 nobody nobody 73819 Oct 21 2005 convertxdccfile
-rw-r--r-- 1 nobody nobody 15 Jan 17 2005 .cset_number
-rw-r--r-- 1 nobody nobody 942 Jan 17 2005 dynip.sh
-rwxr-xr-x 1 nobody nobody 240763 Oct 21 2005 httpd*
-rw-r--r-- 1 nobody nobody 0 Nov 5 04:28 Infodll.state
-rw-r--r-- 1 nobody nobody 1100 Nov 5 13:10 mybot.state
-rw-r--r-- 1 nobody nobody 1100 Nov 5 13:07 mybot.state~
-rw-r--r-- 1 nobody nobody 240795 Oct 21 2005 xdc_chroot
-rw-r--r-- 1 nobody nobody 857 Jan 17 2005 xdc.cron
-rwxr-xr-x 1 nobody nobody 324 Nov 5 04:28 xh*


The best way to track malicous nobody scripts is to use the following command...

[email protected] [~]# lsof -u nobody | grep cwd

which shows the current working dir of open files attached to nobody user.
 

networxhosting

Well-Known Member
PartnerNOC
Apr 22, 2003
80
0
156
Hamilton, Ontario, CANADA
I have a hacker that running stuff that I believe is being run via php but I am having trouble isolating which account he's exploiting. I have told php to not permit most of the commands that would allow system calls (save exec which is needed for coppermine gallery.)

He originally was running perl as nobody but now he's running perl from a bash session so ps lists bash running as nobody.

I have looked in the proc directory for the process, run lsof but that is giving me no indication of what php script he's exploiting.

What's the next step?
 

madan.cpanelnet

Well-Known Member
Apr 1, 2006
69
0
156
INDIA
lsof -u nobody | grep cwd

lists you the directory from where the malicious scripts are running. They donot list the filename(s). You will have to indetify them yourself... if they are thirdparty softwares glued to cpanel/fantastico ... an upgrade of those software may help... dont forget to backup before upgrade.

Did you have the securenobody rpm installed on your server? There are various other tricks that can be found by googling... or in http://webhostgear.com/


You may also need to add more modsec rules. etc.
 

netlook

Well-Known Member
Mar 25, 2004
334
0
166
Could you please tell more about:

securenobody.rpm

?

I can not find anything about it.
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,217
4
193
Minneapolis, MN
They donot list the filename(s). You will have to indetify them yourself... if they are thirdparty softwares glued to cpanel/fantastico ... an upgrade of those software may help...
You have to have the proper tools to pinpoint the bad/insecure scripts. In addition, securing and hardening your server is a must to minimize or completely stop malicious attacks against your server. It is really hard to say what the cause is without looking into the server. Point your browser at: http://www.servertune.com/kbase/security/server_load.html and http://www.servertune.com/kbase/security/concept.html
 
Last edited: