The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious Process httpd.pl

Discussion in 'Security' started by team_dale, Apr 1, 2015.

  1. team_dale

    team_dale Member

    Joined:
    Jul 9, 2014
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi Guys

    We've had problems with a website that migrated to our server. It was sending spam for a while, we cleaned it up and all seems good.

    It was defaced yesterday with an upload to two folders and he index.php file modified.

    Backups were restored and its all fine now.

    However i am now noticing that the account is constantly running a process httpd.pl which only runs for a couple of minutes, before the PID changes (which makes it hard to track down what is running it)

    Top doesn't show a path when i hit c - just changes the process from "httpd.pl" to "httpd" obviously there is no file in the account with that name.

    if i trace the process, its putting out a whole bunch of

    Code:
    select(0, NULL, NULL, NULL, {0, 1199})  = 0 (Timeout)
    select(8, [3], NULL, NULL, {0, 10000})  = 0 (Timeout)
    select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
    select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
    select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
    select(8, [3], NULL, NULL, {0, 10000})  = 0 (Timeout)
    select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
    select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
    select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
    select(8, [3], NULL, NULL, {0, 10000})  = 0 (Timeout)
    select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
    select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
    lsof -p PID is showing:

    Code:
    httpd.pl 7399 mashupco  cwd    DIR     253,0     4096       2 /
    httpd.pl 7399 mashupco  rtd    DIR     253,0     4096       2 /
    httpd.pl 7399 mashupco  txt    REG     253,0    13304 1975561 /usr/bin/perl
    httpd.pl 7399 mashupco  mem    REG     253,0    43392 1835534 /lib64/libcrypt-2.12.so
    httpd.pl 7399 mashupco  mem    REG     253,0    12776 1835519 /lib64/libfreebl3.so
    httpd.pl 7399 mashupco  mem    REG     253,0  1488544 2229798 /usr/lib64/perl5/CORE/libperl.so
    httpd.pl 7399 mashupco  mem    REG     253,0   157032 1835020 /lib64/ld-2.12.so
    httpd.pl 7399 mashupco  mem    REG     253,0  1926760 1835038 /lib64/libc-2.12.so
    httpd.pl 7399 mashupco  mem    REG     253,0   145896 1835041 /lib64/libpthread-2.12.so
    httpd.pl 7399 mashupco  mem    REG     253,0    22536 1835120 /lib64/libdl-2.12.so
    httpd.pl 7399 mashupco  mem    REG     253,0   599392 1835141 /lib64/libm-2.12.so
    httpd.pl 7399 mashupco  mem    REG     253,0   113952 1835553 /lib64/libresolv-2.12.so
    httpd.pl 7399 mashupco  mem    REG     253,0    17520 1835094 /lib64/libutil-2.12.so
    httpd.pl 7399 mashupco  mem    REG     253,0   116368 1835479 /lib64/libnsl-2.12.so
    httpd.pl 7399 mashupco  mem    REG     253,0    21056 2231668 /usr/lib64/perl5/auto/File/Glob/Glob.so
    httpd.pl 7399 mashupco  mem    REG     253,0   120008 2231705 /usr/lib64/perl5/auto/POSIX/POSIX.so
    httpd.pl 7399 mashupco  mem    REG     253,0    17976 2231666 /usr/lib64/perl5/auto/Fcntl/Fcntl.so
    httpd.pl 7399 mashupco  mem    REG     253,0    25624 2231886 /usr/lib64/perl5/auto/Socket/Socket.so
    httpd.pl 7399 mashupco  mem    REG     253,0    19336 2231686 /usr/lib64/perl5/auto/IO/IO.so
    httpd.pl 7399 mashupco    0r   CHR       1,3      0t0    3920 /dev/null
    httpd.pl 7399 mashupco    1w   CHR       1,3      0t0    3920 /dev/null
    httpd.pl 7399 mashupco    2w   CHR       1,3      0t0    3920 /dev/null
    httpd.pl 7399 mashupco    3u  IPv4 193502832      0t0     TCP *:39331 (LISTEN)
    with the concerning thing that it is listening on port 39331



    Anyone ever seen something like this? Anyone know how i can find that file?
     
    #1 team_dale, Apr 1, 2015
    Last edited: Apr 1, 2015
  2. 24x7ss

    24x7ss Well-Known Member

    Joined:
    Sep 30, 2014
    Messages:
    271
    Likes Received:
    16
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Without checking processes it is very hard to tell from where this process gets generated but I will suggest you to install rkhunter and chrkrootkit on the server and try to scan complete server.

    Also to check the process try install htop it will show complete process path.
     
  3. team_dale

    team_dale Member

    Joined:
    Jul 9, 2014
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    For anyone that was interested. This was a backdoor installed by a php shell. the cleanup just didn't catch it on the first round.

    The files were removed, and php.ini was updated to remove a couple more functions that we weren't using that the infection was. Joomla was updated, all systems clear now.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page