Server compromised or what?

mike_r

Well-Known Member
Nov 26, 2002
45
0
156
Hello,

Today I found that nobody user was running this command: (from WHM)

/hsphere/shared/apache/bin/httpd -DSSL

Top shows it as perl ...

And it has been using 90+% of cpu all the time and I was not able to identify the user who did it. Also no such directory exists on the server so howcome it was running?

Any ideas?
 
Last edited:

dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
You may want to hire someone who is familiar with linux security and can find out if a process is 'bad' and just trying to look like a legitimate program.
 

Blue|Fusion

Well-Known Member
Sep 12, 2004
377
0
166
Cleveland, Ohio
Are you running H-Sphere?

If so, then you have nothing to worry about. The process should be run as nobody. There should be one process like that as "root", and several child processes like that run as "nobody". It is simply the Apache webserver. If it is somehow compromised, the hacker gets as much access as the user "nobody", being essentially nothing. If all of the child processes were run as root, and was exploited, a hacker could gain complete access instead of a "dead end".
 

mike_r

Well-Known Member
Nov 26, 2002
45
0
156
It look weird to me because I am not running hspehere.... I think someone compiled the apache of hsphere on the server inorder to run apache on another port for some other purpose..
 

dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
I vaguely remember someone else (I think on these forums) reporting a similar thing... a program named apache running from an hsphere directory, when there was nothing relating to hsphere on the server.

Remember that you can name a program anything you want... so it's quite unlikely that this is really apache, if it is a hack program. It's more likely that it's an irc server, or maybe a DOS program, or something similar.
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,217
4
193
Minneapolis, MN
I have seen so many names for DDS and IRC programs on servers we manage. Your server might be and will be exploited, unless you protect it.

FYI:
Exploit is way of breaking into a system. An exploit takes advantage of a weakness in a system in order to hack it. Exploits are the root of the hacker culture. Hackers gain fame by discovering an exploit. Others gain fame by writing scripts for it. Legions of script-kiddies apply the exploit to millions of systems, whether it makes sense or not. Since people make the same mistakes over-and-over, exploits for very different systems start to look very much like each other. Most exploits can be classified under major categories: buffer overflow, directory climbing, defaults, Denial of Service.

Hope this helps!
 

EdRooney

BANNED
Oct 21, 2004
166
0
166
mike_r said:
Hello,

Today I found that nobody user was running this command: (from WHM)

/hsphere/shared/apache/bin/httpd -DSSL

Top shows it as perl ...

And it has been using 90+% of cpu all the time and I was not able to identify the user who did it. Also no such directory exists on the server so howcome it was running?

Any ideas?
Kill it, terminate user.
 

ilbin

Member
Apr 12, 2004
14
0
151
you might be compromised

An earlier poster indicated that the hsphere processes may be evidence of a hack.

I had 3 servers (php 4.3.10 on all, phpBB 2.0.11 available but not forced on the customers) pop up with several of those process exactly as you did, running as nobody and appearing as perl in top. In the tmp directory on those servers, I found bots, worms, and new index pages, so it appears to be part of an outgoing hack after phpBB is compromised on a machine.

Once I chowned and chmod and moved those bot and worm files, several wget commands popped up attempting to get those same files and place them into /tmp.

I blocked the IP of the domain listed in the wget, but the processes didn't stop regenerating. I used the PID's to find the user in "apache status" in WHM, and then either disabled (if the customer hadn't used our cpanel to install their BB) the BB or forced an upgrade through the customer's cpanel view. All wget processes immediately ceased in the upgrade scenario, and they stopped regenerating in the disable version.

I didn't find any evidence of removing the customer's site files, but you may want to check your /tmp directory, and you may want to make sure all phpBB's are up to date.

If anybody can shed further light on this, I'd appreciate the info. :)
 

jough

Well-Known Member
Aug 17, 2003
63
0
156
Philadelphia, PA
I also noticed a large server load with this running as the top process:

/hsphere/shared/apache/bin/httpd -DSSL

Just this morning.

There was also an RPM installed last night:

/usr/lib/rpm/rpmq -q --all --qf %{name}-%{version}-%{release}.%{arch}.rpm\n

So I don't know if this is an exploit or the result of a Cpanel update gone awry.
 

haze

Well-Known Member
Dec 21, 2001
1,547
3
318
EdRooney said:
Kill it, terminate user.
Thats a little extreme. Its like taking out the lungs to cure someone with an infection in their chest.
 

afdg

Registered
Jul 31, 2004
3
0
151
i'm having the exact same problem :(

also, I noticed in my /tmp directory the following files among others: bot.txt unbot.txt worm.txt unworm.txt ...
 

Israel.lopez

Member
Mar 4, 2003
16
0
151
Hello,

Got it here too check your error_log i got some sites from

[email protected] [~]# lsof | grep ESTABLISHED
sshd 15813 root 4u IPv4 77912 TCP serv.ocservers.net:ssh->NOCStaff.ocservers.net:4539 (ESTABLISHED)
perl 25845 nobody 3u IPv4 218519 TCP serv.ocservers.net:34161->lemming.euronet.nl:ircd (ESTABLISHED)
perl 26737 nobody 3u IPv4 377479 TCP serv.ocservers.net:34385->irc2.saunalahti.fi:ircd (ESTABLISHED)
perl 26744 nobody 3u IPv4 301254 TCP serv.ocservers.net:34367->irc2.saunalahti.fi:ircd (ESTABLISHED)
exim 27036 mailnull 1u IPv4 378079 TCP 216-73-121-41.ocdc-01.net:smtp->203.237.69.105:3230 (ESTABLISHED)
exim 27036 mailnull 2u IPv4 378079 TCP 216-73-121-41.ocdc-01.net:smtp->203.237.69.105:3230 (ESTABLISHED)
exim 27337 mailnull 1u IPv4 378993 TCP 216-73-121-41.ocdc-01.net:smtp->218.39.128.231:2833 (ESTABLISHED)
exim 27337 mailnull 2u IPv4 378993 TCP 216-73-121-41.ocdc-01.net:smtp->218.39.128.231:2833 (ESTABLISHED)
exim 27355 mailnull 1u IPv4 379041 TCP 216-73-121-41.ocdc-01.net:smtp->202.179.67.57:1497 (ESTABLISHED)
exim 27355 mailnull 2u IPv4 379041 TCP 216-73-121-41.ocdc-01.net:smtp->202.179.67.57:1497 (ESTABLISHED)
exim 27399 mailnull 1u IPv4 384135 TCP 216-73-121-41.ocdc-01.net:smtp->69-166-153-51.clvdoh.adelphia.net:4564 (ESTABLISHED)
exim 27399 mailnull 2u IPv4 384135 TCP 216-73-121-41.ocdc-01.net:smtp->69-166-153-51.clvdoh.adelphia.net:4564 (ESTABLISHED)
exim 27402 mailnull 1u IPv4 384139 TCP 216-73-121-41.ocdc-01.net:smtp->adsl-68-255-228-234.dsl.bcvloh.ameritech.net:2810 (ESTABLISHED)
exim 27402 mailnull 2u IPv4 384139 TCP 216-73-121-41.ocdc-01.net:smtp->adsl-68-255-228-234.dsl.bcvloh.ameritech.net:2810 (ESTABLISHED)
exim 27456 mailnull 1u IPv4 384303 TCP 216-73-121-55.ocdc-01.net:smtp->wbar19.dal1-4.29.156.157.dal1.dsl-verizon.net:3785 (ESTABLISHED)
exim 27456 mailnull 2u IPv4 384303 TCP 216-73-121-55.ocdc-01.net:smtp->wbar19.dal1-4.29.156.157.dal1.dsl-verizon.net:3785 (ESTABLISHED)
[email protected] [~]# kill 25845
[email protected] [~]# kill 26737
[email protected] [~]# kill 26744
[email protected] [~]# lsof | grep ESTABLISHED



http://www.webmaster-it.it/terrorbot.txt
http://www.webmaster-it.it/terrorworm.txt

Country: ITALY


% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum: 212.25.160.0 - 212.25.165.255
netname: SEEWEB-NET
descr: SEEWEB Hosting Company
country: IT
admin-c: AB91-RIPE
tech-c: AB91-RIPE
status: ASSIGNED PA
notify: ********@seeweb.it
mnt-by: SEEWEB-MNT
changed: ********@seeweb.it 20020602
source: RIPE

route: 212.25.160.0/19
descr: STT Sviluppo Tecnologie Telematiche avanzate srl
origin: AS12637
mnt-by: AS1267-MNT
changed: ********@ripe.net 19991014
source: RIPE

person: Antonio Baldassarra
address: SEEWEB Hosting Company
address: C.so Lazio, 9/a
address: I - 03100 - Frosinone
address: Italy
phone: +39 0775 880041
fax-no: +39 0775 830054
e-mail: ********@seeweb.it
nic-hdl: AB91-RIPE
changed: ********@seeweb.it 20011126
source: RIPE
 

SEAL31

Well-Known Member
Dec 4, 2004
55
0
156
Yes it looks like the phpBB worm. Upgrade any phpBB installs to 2.0.11. If you don;t want to upgrade, follow instructions to fix the viewtopic bug (which I believe is the proble, if my memory serves me).
 

Mani

Well-Known Member
Dec 22, 2003
116
0
166
your TM folder will be full of IRC bots and they are having fun with your cool BW

1- chmod 000 /usr/bin/wget
2- clean up your TMP directory from the bots they will be in such names
bot.txt
bot
bot.txt.1 "some numbers"
spybot.txt.1
worm.txt
terroworm

and some others

3- kill the PID of the nobody /hsphere/shared/apache/bin/httpd -DSSL

that will give you enough time to do your home work and fix things around
 

rpmws

Well-Known Member
Aug 14, 2001
1,802
9
318
back woods of NC, USA
Mani said:
your TM folder will be full of IRC bots and they are having fun with your cool BW

1- chmod 000 /usr/bin/wget
2- clean up your TMP directory from the bots they will be in such names
bot.txt
bot
bot.txt.1 "some numbers"
spybot.txt.1
worm.txt
terroworm

and some others

3- kill the PID of the nobody /hsphere/shared/apache/bin/httpd -DSSL

that will give you enough time to do your home work and fix things around

what string would be best to search for to find which site got the worm from?
 

fmalekpour

Well-Known Member
PartnerNOC
Dec 4, 2002
85
1
158
Also if you have a firewall watch and block any incoming/outgoing access to:

visualcoders . net
zone-h . org

- Farhad
 

mike_r

Well-Known Member
Nov 26, 2002
45
0
156
sorry for not keeping you update but i fixed it the same day.

Many of the people posting here are right... it was something that phpbb bug.. I also expierenced m1olof (maybe a lil different) bot ...

I used a:

ps aux | grep perl

to find out the perl processes.. find what files were being executed, search for the files using:

find / -name 'FILENAME'

Then, removed all the files and secure phpbb forums (I have a lot of 'em)..