nobody process attached to syslogd+Server Load too HIGH
Any ideas please? .... cannot find any open files attached.
Any ideas please? .... cannot find any open files attached.
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 25259 nobody cwd DIR 3,3 4096 2 /
perl 25259 nobody rtd DIR 3,3 4096 2 /
perl 25259 nobody txt REG 3,3 1002181 59385 /usr/bin/perl
perl 25259 nobody mem REG 3,3 75050 106408 /lib/libresolv-2.3.2.so
perl 25259 nobody mem REG 3,3 17561 106393 /lib/libnss_dns-2.3.2.so
perl 25259 nobody mem REG 3,3 50783 128235 /lib/libnss_files-2.3.2.so
perl 25259 nobody mem REG 3,3 24582 75799 /usr/lib/perl5/5.8.1/i686-linux/auto/Socket/Socket.so
perl 25259 nobody mem REG 3,3 17474 75608 /usr/lib/perl5/5.8.1/i686-linux/auto/IO/IO.so
perl 25259 nobody mem REG 3,3 32148976 90860 /usr/lib/locale/locale-archive
perl 25259 nobody mem REG 3,3 1516255 128739 /lib/tls/libc-2.3.2.so
perl 25259 nobody mem REG 3,3 11375 106423 /lib/libutil-2.3.2.so
perl 25259 nobody mem REG 3,3 22242 106268 /lib/libcrypt-2.3.2.so
perl 25259 nobody mem REG 3,3 185942 128745 /lib/tls/libm-2.3.2.so
perl 25259 nobody mem REG 3,3 13601 127668 /lib/libdl-2.3.2.so
perl 25259 nobody mem REG 3,3 87563 128060 /lib/libnsl-2.3.2.so
perl 25259 nobody mem REG 3,3 19641 112475 /lib/libsafe.so.2.0.16
perl 25259 nobody mem REG 3,3 102480 106050 /lib/ld-2.3.2.so
perl 25259 nobody 0r CHR 1,3 8395 /dev/null
perl 25259 nobody 1w FIFO 0,5 20074316 pipe
perl 25259 nobody 2w REG 3,3 24288296 92042 /usr/local/apache/logs/error_log
perl 25259 nobody 3u IPv4 20324504 TCP myserver( I 've changed the name):53142->pool-71-250-26-222.nwrknj.e
ast.verizon.net:ircd (ESTABLISHED)
perl 25259 nobody 6u REG 7,0 0 27 /tmp/ZCUDQdIbeA (deleted)
perl 25259 nobody 7r FIFO 0,5 19853479 pipe
perl 25259 nobody 8u unix 0xda542d00 14863818 socket
perl 25259 nobody 9r FIFO 0,5 15775422 pipe
perl 25259 nobody 10u unix 0xeed8c180 15778997 socket
perl 25259 nobody 11r FIFO 0,5 17319214 pipe
perl 25259 nobody 12r FIFO 0,5 17392684 pipe
perl 25259 nobody 13r FIFO 0,5 17395745 pipe
perl 25259 nobody 14r FIFO 0,5 17395904 pipe
perl 25259 nobody 15w REG 3,3 24288296 92042 /usr/local/apache/logs/error_log
perl 25259 nobody cwd DIR 3,3 4096 2 /
perl 25259 nobody rtd DIR 3,3 4096 2 /
perl 25259 nobody txt REG 3,3 1002181 59385 /usr/bin/perl
perl 25259 nobody mem REG 3,3 75050 106408 /lib/libresolv-2.3.2.so
perl 25259 nobody mem REG 3,3 17561 106393 /lib/libnss_dns-2.3.2.so
perl 25259 nobody mem REG 3,3 50783 128235 /lib/libnss_files-2.3.2.so
perl 25259 nobody mem REG 3,3 24582 75799 /usr/lib/perl5/5.8.1/i686-linux/auto/Socket/Socket.so
perl 25259 nobody mem REG 3,3 17474 75608 /usr/lib/perl5/5.8.1/i686-linux/auto/IO/IO.so
perl 25259 nobody mem REG 3,3 32148976 90860 /usr/lib/locale/locale-archive
perl 25259 nobody mem REG 3,3 1516255 128739 /lib/tls/libc-2.3.2.so
perl 25259 nobody mem REG 3,3 11375 106423 /lib/libutil-2.3.2.so
perl 25259 nobody mem REG 3,3 22242 106268 /lib/libcrypt-2.3.2.so
perl 25259 nobody mem REG 3,3 185942 128745 /lib/tls/libm-2.3.2.so
perl 25259 nobody mem REG 3,3 13601 127668 /lib/libdl-2.3.2.so
perl 25259 nobody mem REG 3,3 87563 128060 /lib/libnsl-2.3.2.so
perl 25259 nobody mem REG 3,3 19641 112475 /lib/libsafe.so.2.0.16
perl 25259 nobody mem REG 3,3 102480 106050 /lib/ld-2.3.2.so
perl 25259 nobody 0r CHR 1,3 8395 /dev/null
perl 25259 nobody 1w FIFO 0,5 20074316 pipe
perl 25259 nobody 2w REG 3,3 24288296 92042 /usr/local/apache/logs/error_log
perl 25259 nobody 3u IPv4 20324504 TCP myserver( I 've changed the name):53142->pool-71-250-26-222.nwrknj.e
ast.verizon.net:ircd (ESTABLISHED)
perl 25259 nobody 6u REG 7,0 0 27 /tmp/ZCUDQdIbeA (deleted)
perl 25259 nobody 7r FIFO 0,5 19853479 pipe
perl 25259 nobody 8u unix 0xda542d00 14863818 socket
perl 25259 nobody 9r FIFO 0,5 15775422 pipe
perl 25259 nobody 10u unix 0xeed8c180 15778997 socket
perl 25259 nobody 11r FIFO 0,5 17319214 pipe
perl 25259 nobody 12r FIFO 0,5 17392684 pipe
perl 25259 nobody 13r FIFO 0,5 17395745 pipe
perl 25259 nobody 14r FIFO 0,5 17395904 pipe
perl 25259 nobody 15w REG 3,3 24288296 92042 /usr/local/apache/logs/error_log
The above seems to me an IRCD attack;
I 've dropped ircd port --------->
[email protected] [~]# iptables -A INPUT -p tcp --destination-port ircd -j DROP
[email protected] [~]# iptables -A FORWARD -p tcp --destination-port ircd -j DROP
Please share your thoughts and advise.
I 've dropped ircd port --------->
[email protected] [~]# iptables -A INPUT -p tcp --destination-port ircd -j DROP
[email protected] [~]# iptables -A FORWARD -p tcp --destination-port ircd -j DROP
Please share your thoughts and advise.
I had the exact same problem on a server.
The disturbing thing is, the hacker includes a premade script that runs something like this:
wget somescript.pl to /tmp
perl somescript.pl
rm -f somescript.pl
And then, no clue, nothing!! The only solutions are running phpsuexec (even if temporary to find out what username it used) or doing an extensive search through the modsec rules to kill any accounts that have insecure scripts installed.
The disturbing thing is, the hacker includes a premade script that runs something like this:
wget somescript.pl to /tmp
perl somescript.pl
rm -f somescript.pl
And then, no clue, nothing!! The only solutions are running phpsuexec (even if temporary to find out what username it used) or doing an extensive search through the modsec rules to kill any accounts that have insecure scripts installed.
yeah.. saw some of this attack on some of Cpanel box which we have managed to block it using mod_security rules
NOBODY and BASH ( process )
If you see nobody user glued to process named bash... you may try to locate any of these files.... ofcouse you can always lsof.
Here is what I found out of an lsof of nobody user glued to process named bash ---->
-rw-r--r-- 1 nobody nobody 73819 Oct 21 2005 convertxdccfile
-rw-r--r-- 1 nobody nobody 15 Jan 17 2005 .cset_number
-rw-r--r-- 1 nobody nobody 942 Jan 17 2005 dynip.sh
-rwxr-xr-x 1 nobody nobody 240763 Oct 21 2005 httpd*
-rw-r--r-- 1 nobody nobody 0 Nov 5 04:28 Infodll.state
-rw-r--r-- 1 nobody nobody 1100 Nov 5 13:10 mybot.state
-rw-r--r-- 1 nobody nobody 1100 Nov 5 13:07 mybot.state~
-rw-r--r-- 1 nobody nobody 240795 Oct 21 2005 xdc_chroot
-rw-r--r-- 1 nobody nobody 857 Jan 17 2005 xdc.cron
-rwxr-xr-x 1 nobody nobody 324 Nov 5 04:28 xh*
The best way to track malicous nobody scripts is to use the following command...
[email protected] [~]# lsof -u nobody | grep cwd
which shows the current working dir of open files attached to nobody user.
If you see nobody user glued to process named bash... you may try to locate any of these files.... ofcouse you can always lsof.
Here is what I found out of an lsof of nobody user glued to process named bash ---->
-rw-r--r-- 1 nobody nobody 73819 Oct 21 2005 convertxdccfile
-rw-r--r-- 1 nobody nobody 15 Jan 17 2005 .cset_number
-rw-r--r-- 1 nobody nobody 942 Jan 17 2005 dynip.sh
-rwxr-xr-x 1 nobody nobody 240763 Oct 21 2005 httpd*
-rw-r--r-- 1 nobody nobody 0 Nov 5 04:28 Infodll.state
-rw-r--r-- 1 nobody nobody 1100 Nov 5 13:10 mybot.state
-rw-r--r-- 1 nobody nobody 1100 Nov 5 13:07 mybot.state~
-rw-r--r-- 1 nobody nobody 240795 Oct 21 2005 xdc_chroot
-rw-r--r-- 1 nobody nobody 857 Jan 17 2005 xdc.cron
-rwxr-xr-x 1 nobody nobody 324 Nov 5 04:28 xh*
The best way to track malicous nobody scripts is to use the following command...
[email protected] [~]# lsof -u nobody | grep cwd
which shows the current working dir of open files attached to nobody user.
I have a hacker that running stuff that I believe is being run via php but I am having trouble isolating which account he's exploiting. I have told php to not permit most of the commands that would allow system calls (save exec which is needed for coppermine gallery.)
He originally was running perl as nobody but now he's running perl from a bash session so ps lists bash running as nobody.
I have looked in the proc directory for the process, run lsof but that is giving me no indication of what php script he's exploiting.
What's the next step?
He originally was running perl as nobody but now he's running perl from a bash session so ps lists bash running as nobody.
I have looked in the proc directory for the process, run lsof but that is giving me no indication of what php script he's exploiting.
What's the next step?
lsof -u nobody | grep cwd
lists you the directory from where the malicious scripts are running. They donot list the filename(s). You will have to indetify them yourself... if they are thirdparty softwares glued to cpanel/fantastico ... an upgrade of those software may help... dont forget to backup before upgrade.
Did you have the securenobody rpm installed on your server? There are various other tricks that can be found by googling... or in http://webhostgear.com/
You may also need to add more modsec rules. etc.
lists you the directory from where the malicious scripts are running. They donot list the filename(s). You will have to indetify them yourself... if they are thirdparty softwares glued to cpanel/fantastico ... an upgrade of those software may help... dont forget to backup before upgrade.
Did you have the securenobody rpm installed on your server? There are various other tricks that can be found by googling... or in http://webhostgear.com/
You may also need to add more modsec rules. etc.
You have to have the proper tools to pinpoint the bad/insecure scripts. In addition, securing and hardening your server is a must to minimize or completely stop malicious attacks against your server. It is really hard to say what the cause is without looking into the server. Point your browser at: http://www.servertune.com/kbase/security/server_load.html and http://www.servertune.com/kbase/security/concept.html
Last edited:
I think they're referring to : Nobody Check security tool available at http://www.webhostgear.com/353.html
