The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

nobody process attached to syslogd+Server Load too HIGH

Discussion in 'General Discussion' started by madan.cpanelnet, Sep 18, 2006.

  1. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    INDIA
    nobody process attached to syslogd+Server Load too HIGH

    Any ideas please? .... cannot find any open files attached.
     
  2. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    INDIA
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    perl 25259 nobody cwd DIR 3,3 4096 2 /
    perl 25259 nobody rtd DIR 3,3 4096 2 /
    perl 25259 nobody txt REG 3,3 1002181 59385 /usr/bin/perl
    perl 25259 nobody mem REG 3,3 75050 106408 /lib/libresolv-2.3.2.so
    perl 25259 nobody mem REG 3,3 17561 106393 /lib/libnss_dns-2.3.2.so
    perl 25259 nobody mem REG 3,3 50783 128235 /lib/libnss_files-2.3.2.so
    perl 25259 nobody mem REG 3,3 24582 75799 /usr/lib/perl5/5.8.1/i686-linux/auto/Socket/Socket.so
    perl 25259 nobody mem REG 3,3 17474 75608 /usr/lib/perl5/5.8.1/i686-linux/auto/IO/IO.so
    perl 25259 nobody mem REG 3,3 32148976 90860 /usr/lib/locale/locale-archive
    perl 25259 nobody mem REG 3,3 1516255 128739 /lib/tls/libc-2.3.2.so
    perl 25259 nobody mem REG 3,3 11375 106423 /lib/libutil-2.3.2.so
    perl 25259 nobody mem REG 3,3 22242 106268 /lib/libcrypt-2.3.2.so
    perl 25259 nobody mem REG 3,3 185942 128745 /lib/tls/libm-2.3.2.so
    perl 25259 nobody mem REG 3,3 13601 127668 /lib/libdl-2.3.2.so
    perl 25259 nobody mem REG 3,3 87563 128060 /lib/libnsl-2.3.2.so
    perl 25259 nobody mem REG 3,3 19641 112475 /lib/libsafe.so.2.0.16
    perl 25259 nobody mem REG 3,3 102480 106050 /lib/ld-2.3.2.so
    perl 25259 nobody 0r CHR 1,3 8395 /dev/null
    perl 25259 nobody 1w FIFO 0,5 20074316 pipe
    perl 25259 nobody 2w REG 3,3 24288296 92042 /usr/local/apache/logs/error_log
    perl 25259 nobody 3u IPv4 20324504 TCP myserver( I 've changed the name):53142->pool-71-250-26-222.nwrknj.e
    ast.verizon.net:ircd (ESTABLISHED)
    perl 25259 nobody 6u REG 7,0 0 27 /tmp/ZCUDQdIbeA (deleted)
    perl 25259 nobody 7r FIFO 0,5 19853479 pipe
    perl 25259 nobody 8u unix 0xda542d00 14863818 socket
    perl 25259 nobody 9r FIFO 0,5 15775422 pipe
    perl 25259 nobody 10u unix 0xeed8c180 15778997 socket
    perl 25259 nobody 11r FIFO 0,5 17319214 pipe
    perl 25259 nobody 12r FIFO 0,5 17392684 pipe
    perl 25259 nobody 13r FIFO 0,5 17395745 pipe
    perl 25259 nobody 14r FIFO 0,5 17395904 pipe
    perl 25259 nobody 15w REG 3,3 24288296 92042 /usr/local/apache/logs/error_log
     
  3. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    INDIA
    The above seems to me an IRCD attack;

    I 've dropped ircd port --------->


    root@myserver [~]# iptables -A INPUT -p tcp --destination-port ircd -j DROP
    root@myserver [~]# iptables -A FORWARD -p tcp --destination-port ircd -j DROP




    Please share your thoughts and advise.
     
  4. TheSpidre

    TheSpidre Active Member

    Joined:
    Mar 10, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    I had the exact same problem on a server.

    The disturbing thing is, the hacker includes a premade script that runs something like this:
    wget somescript.pl to /tmp
    perl somescript.pl
    rm -f somescript.pl

    And then, no clue, nothing!! The only solutions are running phpsuexec (even if temporary to find out what username it used) or doing an extensive search through the modsec rules to kill any accounts that have insecure scripts installed.
     
  5. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    I had the exact same problem on a server.

    Konrath
     
  6. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil

    Fixed !

    Remove all component com_extcalendar from joomla. :D

    in ssh

    locate com_extcalendar

    Konrath
     
  7. tweakservers

    tweakservers Well-Known Member

    Joined:
    Mar 30, 2006
    Messages:
    379
    Likes Received:
    0
    Trophy Points:
    16
    yeah.. saw some of this attack on some of Cpanel box which we have managed to block it using mod_security rules
     
  8. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    INDIA
    What filtering rules did you set in modsec?
     
  9. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Mambo/Joomla has about 1/2 page of rules that I've created so it's not just one rule heh :D Since there are tons of exploits for this software.

    Nobody Check can also alert you of thse fake processes FYI.
     
  10. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    INDIA
    NOBODY and BASH ( process )

    If you see nobody user glued to process named bash... you may try to locate any of these files.... ofcouse you can always lsof.

    Here is what I found out of an lsof of nobody user glued to process named bash ---->

    -rw-r--r-- 1 nobody nobody 73819 Oct 21 2005 convertxdccfile
    -rw-r--r-- 1 nobody nobody 15 Jan 17 2005 .cset_number
    -rw-r--r-- 1 nobody nobody 942 Jan 17 2005 dynip.sh
    -rwxr-xr-x 1 nobody nobody 240763 Oct 21 2005 httpd*
    -rw-r--r-- 1 nobody nobody 0 Nov 5 04:28 Infodll.state
    -rw-r--r-- 1 nobody nobody 1100 Nov 5 13:10 mybot.state
    -rw-r--r-- 1 nobody nobody 1100 Nov 5 13:07 mybot.state~
    -rw-r--r-- 1 nobody nobody 240795 Oct 21 2005 xdc_chroot
    -rw-r--r-- 1 nobody nobody 857 Jan 17 2005 xdc.cron
    -rwxr-xr-x 1 nobody nobody 324 Nov 5 04:28 xh*


    The best way to track malicous nobody scripts is to use the following command...

    root@server1 [~]# lsof -u nobody | grep cwd

    which shows the current working dir of open files attached to nobody user.
     
  11. networxhosting

    networxhosting Well-Known Member
    PartnerNOC

    Joined:
    Apr 22, 2003
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Hamilton, Ontario, CANADA
    I have a hacker that running stuff that I believe is being run via php but I am having trouble isolating which account he's exploiting. I have told php to not permit most of the commands that would allow system calls (save exec which is needed for coppermine gallery.)

    He originally was running perl as nobody but now he's running perl from a bash session so ps lists bash running as nobody.

    I have looked in the proc directory for the process, run lsof but that is giving me no indication of what php script he's exploiting.

    What's the next step?
     
  12. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    INDIA
    lsof -u nobody | grep cwd

    lists you the directory from where the malicious scripts are running. They donot list the filename(s). You will have to indetify them yourself... if they are thirdparty softwares glued to cpanel/fantastico ... an upgrade of those software may help... dont forget to backup before upgrade.

    Did you have the securenobody rpm installed on your server? There are various other tricks that can be found by googling... or in http://webhostgear.com/


    You may also need to add more modsec rules. etc.
     
  13. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    Could you please tell more about:

    securenobody.rpm

    ?

    I can not find anything about it.
     
  14. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    You have to have the proper tools to pinpoint the bad/insecure scripts. In addition, securing and hardening your server is a must to minimize or completely stop malicious attacks against your server. It is really hard to say what the cause is without looking into the server. Point your browser at: http://www.servertune.com/kbase/security/server_load.html and http://www.servertune.com/kbase/security/concept.html
     
    #14 AndyReed, Nov 25, 2006
    Last edited: Nov 25, 2006
  15. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I think they're referring to : Nobody Check security tool available at http://www.webhostgear.com/353.html
     
  16. sampride

    sampride Member

    Joined:
    Jul 8, 2005
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    ramprage , can you share with us your mod_security rules for joomla/mambo?
     
Loading...

Share This Page