The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server compromised or what?

Discussion in 'General Discussion' started by mike_r, Dec 20, 2004.

  1. mike_r

    mike_r Well-Known Member

    Joined:
    Nov 26, 2002
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    Today I found that nobody user was running this command: (from WHM)

    /hsphere/shared/apache/bin/httpd -DSSL

    Top shows it as perl ...

    And it has been using 90+% of cpu all the time and I was not able to identify the user who did it. Also no such directory exists on the server so howcome it was running?

    Any ideas?
     
    #1 mike_r, Dec 20, 2004
    Last edited: Dec 20, 2004
  2. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    You may want to hire someone who is familiar with linux security and can find out if a process is 'bad' and just trying to look like a legitimate program.
     
  3. Blue|Fusion

    Blue|Fusion Well-Known Member

    Joined:
    Sep 12, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Cleveland, Ohio
    Are you running H-Sphere?

    If so, then you have nothing to worry about. The process should be run as nobody. There should be one process like that as "root", and several child processes like that run as "nobody". It is simply the Apache webserver. If it is somehow compromised, the hacker gets as much access as the user "nobody", being essentially nothing. If all of the child processes were run as root, and was exploited, a hacker could gain complete access instead of a "dead end".
     
  4. mike_r

    mike_r Well-Known Member

    Joined:
    Nov 26, 2002
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    It look weird to me because I am not running hspehere.... I think someone compiled the apache of hsphere on the server inorder to run apache on another port for some other purpose..
     
  5. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    I vaguely remember someone else (I think on these forums) reporting a similar thing... a program named apache running from an hsphere directory, when there was nothing relating to hsphere on the server.

    Remember that you can name a program anything you want... so it's quite unlikely that this is really apache, if it is a hack program. It's more likely that it's an irc server, or maybe a DOS program, or something similar.
     
  6. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    I have seen so many names for DDS and IRC programs on servers we manage. Your server might be and will be exploited, unless you protect it.

    FYI:
    Exploit is way of breaking into a system. An exploit takes advantage of a weakness in a system in order to hack it. Exploits are the root of the hacker culture. Hackers gain fame by discovering an exploit. Others gain fame by writing scripts for it. Legions of script-kiddies apply the exploit to millions of systems, whether it makes sense or not. Since people make the same mistakes over-and-over, exploits for very different systems start to look very much like each other. Most exploits can be classified under major categories: buffer overflow, directory climbing, defaults, Denial of Service.

    Hope this helps!
     
  7. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    Kill it, terminate user.
     
  8. ilbin

    ilbin Member

    Joined:
    Apr 12, 2004
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    you might be compromised

    An earlier poster indicated that the hsphere processes may be evidence of a hack.

    I had 3 servers (php 4.3.10 on all, phpBB 2.0.11 available but not forced on the customers) pop up with several of those process exactly as you did, running as nobody and appearing as perl in top. In the tmp directory on those servers, I found bots, worms, and new index pages, so it appears to be part of an outgoing hack after phpBB is compromised on a machine.

    Once I chowned and chmod and moved those bot and worm files, several wget commands popped up attempting to get those same files and place them into /tmp.

    I blocked the IP of the domain listed in the wget, but the processes didn't stop regenerating. I used the PID's to find the user in "apache status" in WHM, and then either disabled (if the customer hadn't used our cpanel to install their BB) the BB or forced an upgrade through the customer's cpanel view. All wget processes immediately ceased in the upgrade scenario, and they stopped regenerating in the disable version.

    I didn't find any evidence of removing the customer's site files, but you may want to check your /tmp directory, and you may want to make sure all phpBB's are up to date.

    If anybody can shed further light on this, I'd appreciate the info. :)
     
  9. jough

    jough Well-Known Member

    Joined:
    Aug 17, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Philadelphia, PA
    I also noticed a large server load with this running as the top process:

    /hsphere/shared/apache/bin/httpd -DSSL

    Just this morning.

    There was also an RPM installed last night:

    /usr/lib/rpm/rpmq -q --all --qf %{name}-%{version}-%{release}.%{arch}.rpm\n

    So I don't know if this is an exploit or the result of a Cpanel update gone awry.
     
  10. qlites

    qlites Member

    Joined:
    Oct 13, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I believe this has to do with the phpbb exploit and the Santy worm.
     
  11. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Thats a little extreme. Its like taking out the lungs to cure someone with an infection in their chest.
     
  12. afdg

    afdg Registered

    Joined:
    Jul 31, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    i'm having the exact same problem :(

    also, I noticed in my /tmp directory the following files among others: bot.txt unbot.txt worm.txt unworm.txt ...
     
  13. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
  14. Israel.lopez

    Israel.lopez Member

    Joined:
    Mar 4, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    Got it here too check your error_log i got some sites from

    root@serv [~]# lsof | grep ESTABLISHED
    sshd 15813 root 4u IPv4 77912 TCP serv.ocservers.net:ssh->NOCStaff.ocservers.net:4539 (ESTABLISHED)
    perl 25845 nobody 3u IPv4 218519 TCP serv.ocservers.net:34161->lemming.euronet.nl:ircd (ESTABLISHED)
    perl 26737 nobody 3u IPv4 377479 TCP serv.ocservers.net:34385->irc2.saunalahti.fi:ircd (ESTABLISHED)
    perl 26744 nobody 3u IPv4 301254 TCP serv.ocservers.net:34367->irc2.saunalahti.fi:ircd (ESTABLISHED)
    exim 27036 mailnull 1u IPv4 378079 TCP 216-73-121-41.ocdc-01.net:smtp->203.237.69.105:3230 (ESTABLISHED)
    exim 27036 mailnull 2u IPv4 378079 TCP 216-73-121-41.ocdc-01.net:smtp->203.237.69.105:3230 (ESTABLISHED)
    exim 27337 mailnull 1u IPv4 378993 TCP 216-73-121-41.ocdc-01.net:smtp->218.39.128.231:2833 (ESTABLISHED)
    exim 27337 mailnull 2u IPv4 378993 TCP 216-73-121-41.ocdc-01.net:smtp->218.39.128.231:2833 (ESTABLISHED)
    exim 27355 mailnull 1u IPv4 379041 TCP 216-73-121-41.ocdc-01.net:smtp->202.179.67.57:1497 (ESTABLISHED)
    exim 27355 mailnull 2u IPv4 379041 TCP 216-73-121-41.ocdc-01.net:smtp->202.179.67.57:1497 (ESTABLISHED)
    exim 27399 mailnull 1u IPv4 384135 TCP 216-73-121-41.ocdc-01.net:smtp->69-166-153-51.clvdoh.adelphia.net:4564 (ESTABLISHED)
    exim 27399 mailnull 2u IPv4 384135 TCP 216-73-121-41.ocdc-01.net:smtp->69-166-153-51.clvdoh.adelphia.net:4564 (ESTABLISHED)
    exim 27402 mailnull 1u IPv4 384139 TCP 216-73-121-41.ocdc-01.net:smtp->adsl-68-255-228-234.dsl.bcvloh.ameritech.net:2810 (ESTABLISHED)
    exim 27402 mailnull 2u IPv4 384139 TCP 216-73-121-41.ocdc-01.net:smtp->adsl-68-255-228-234.dsl.bcvloh.ameritech.net:2810 (ESTABLISHED)
    exim 27456 mailnull 1u IPv4 384303 TCP 216-73-121-55.ocdc-01.net:smtp->wbar19.dal1-4.29.156.157.dal1.dsl-verizon.net:3785 (ESTABLISHED)
    exim 27456 mailnull 2u IPv4 384303 TCP 216-73-121-55.ocdc-01.net:smtp->wbar19.dal1-4.29.156.157.dal1.dsl-verizon.net:3785 (ESTABLISHED)
    root@serv [~]# kill 25845
    root@serv [~]# kill 26737
    root@serv [~]# kill 26744
    root@serv [~]# lsof | grep ESTABLISHED



    http://www.webmaster-it.it/terrorbot.txt
    http://www.webmaster-it.it/terrorworm.txt

    Country: ITALY


    % This is the RIPE Whois query server #2.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/db/copyright.html

    inetnum: 212.25.160.0 - 212.25.165.255
    netname: SEEWEB-NET
    descr: SEEWEB Hosting Company
    country: IT
    admin-c: AB91-RIPE
    tech-c: AB91-RIPE
    status: ASSIGNED PA
    notify: ********@seeweb.it
    mnt-by: SEEWEB-MNT
    changed: ********@seeweb.it 20020602
    source: RIPE

    route: 212.25.160.0/19
    descr: STT Sviluppo Tecnologie Telematiche avanzate srl
    origin: AS12637
    mnt-by: AS1267-MNT
    changed: ********@ripe.net 19991014
    source: RIPE

    person: Antonio Baldassarra
    address: SEEWEB Hosting Company
    address: C.so Lazio, 9/a
    address: I - 03100 - Frosinone
    address: Italy
    phone: +39 0775 880041
    fax-no: +39 0775 830054
    e-mail: ********@seeweb.it
    nic-hdl: AB91-RIPE
    changed: ********@seeweb.it 20011126
    source: RIPE
     
  15. SEAL31

    SEAL31 Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Yes it looks like the phpBB worm. Upgrade any phpBB installs to 2.0.11. If you don;t want to upgrade, follow instructions to fix the viewtopic bug (which I believe is the proble, if my memory serves me).
     
  16. Mani

    Mani Well-Known Member

    Joined:
    Dec 22, 2003
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    your TM folder will be full of IRC bots and they are having fun with your cool BW

    1- chmod 000 /usr/bin/wget
    2- clean up your TMP directory from the bots they will be in such names
    bot.txt
    bot
    bot.txt.1 "some numbers"
    spybot.txt.1
    worm.txt
    terroworm

    and some others

    3- kill the PID of the nobody /hsphere/shared/apache/bin/httpd -DSSL

    that will give you enough time to do your home work and fix things around
     
  17. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA

    what string would be best to search for to find which site got the worm from?
     
  18. fmalekpour

    fmalekpour Well-Known Member
    PartnerNOC

    Joined:
    Dec 4, 2002
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Also if you have a firewall watch and block any incoming/outgoing access to:

    visualcoders . net
    zone-h . org

    - Farhad
     
  19. mike_r

    mike_r Well-Known Member

    Joined:
    Nov 26, 2002
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    sorry for not keeping you update but i fixed it the same day.

    Many of the people posting here are right... it was something that phpbb bug.. I also expierenced m1olof (maybe a lil different) bot ...

    I used a:

    ps aux | grep perl

    to find out the perl processes.. find what files were being executed, search for the files using:

    find / -name 'FILENAME'

    Then, removed all the files and secure phpbb forums (I have a lot of 'em)..
     
Loading...

Share This Page