syslogd running on a rampage need help please

gighost

Member
Aug 15, 2005
5
0
151
I noticed that syslogd is running multiple instances on the server I want to know is there something I can do to slow it down it is using alot of the system resources.

nobody 8484 52.8 0.1 6184 3556 ? R 05:12 36:00 [syslogd]
nobody 9386 50.2 0.1 6300 3560 ? R 05:18 31:20 [syslogd]
nobody 9552 50.5 0.1 6396 3560 ? R 05:18 31:11 [syslogd]
nobody 10023 47.1 0.1 6924 3560 ? R 05:21 27:57 [syslogd]
nobody 10141 45.1 0.1 6136 3560 ? R 05:22 26:00 [syslogd]
nobody 10834 44.2 0.1 6716 3560 ? R 05:27 23:28 [syslogd]
nobody 11796 42.7 0.1 5388 3560 ? R 05:35 19:09 [syslogd]
nobody 11856 41.3 0.1 7028 3560 ? R 05:36 18:04 [syslogd]
nobody 12877 1.6 0.1 7204 3568 ? S 05:44 0:36 [syslogd]
nobody 14047 1.5 0.1 5884 3548 ? S 05:52 0:25 [syslogd]

Any ideas would certainly help.

Thanks in advance
 

oderland

Well-Known Member
PartnerNOC
Dec 30, 2002
103
0
166
Kungsbacka, Sweden
we have the same issue. I think it is a irc bot masked to syslogd process. It is running as nobody and are using perl

lsof could not point out where this one i started from either? Anyone have a clue?
 

Danny_T

Well-Known Member
Jul 19, 2005
181
0
166
Netherlands
Its new indeed, there must be a new exploit in some kind of php application orso...
It is doing (ddos) attacks.
Watch your outgoing traffic while its running...
Several times it attacked here at a outgoing rate of almost 45Mbit/s
Still figuring out where it comes from because it is coming back after i deleted it.
Even with the tmp's as noexec mounted.

Danny.
 

Danny_T

Well-Known Member
Jul 19, 2005
181
0
166
Netherlands
Still a cant figure out why or what.

Just 30 mins ago it again happens with hundreds of these processes.
They where ddos attacking this IP:

206.127.66.113
113.66.127.206.in-addr.arpa domain name pointer sfpinc.static.MT.net.
OrgName: Montana Internet Cooperative Association
OrgID: MIC
Address: 314 North Last Chance Gulch
City: Helena
StateProv: MT
PostalCode: 59601
Country: US
NetRange: 206.127.64.0 - 206.127.127.255

I blocked this IP in firewall for outgoing traffic.
But i guess next time (tomorrow i guess) it will be another IP.

This is a major problem as i cant find any odd things or i do overlook things.
I know it are perl processses.

Danny.
 

Morgana

Active Member
Jan 16, 2003
25
0
151
I have the same problem with a server. There are perl scripts running that are causing high serverlaod and outgoing traffic. I thought maybe it was a phpBB exploit and updated the scripts the newest version, but even if I remove all the processes it comes back.