is my server hacked ? urgent
 

Hello All,


Recently I noticed that cpu is fully used by http.pl, httpd.pl, https.pl process.

This is result of top command

:confused:PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2473 www-data 20 0 36800 6948 1332 R 54 0.7 8:45.96 https.pl
2348 www-data 20 0 38332 7464 1332 R 52 0.7 8:55.28 http.pl
2475 www-data 20 0 36688 6884 1332 R 45 0.7 8:29.28 httpd.pl
2474 www-data 20 0 36952 6948 1332 R 35 0.7 8:37.41 httpd.pl

if I run top -bcis then all http?.pl display as mail.

I try to kill those process with kill 2473 but nothing happen to that process with many attempt the process is still running as 2473 ID


Finally I disconnected my sever from net. I have no idea what should be next.

Any suggestion highly appreciated.

I think I am dead.

No one have as such experience of http.pl (mail) process consuming full cpu ?

The strange thing is I search my all pc and can't find any file named http.pl or any command name mail.


I think I should buy another hosting and transfer files to there.

Tomorrow I have to fly to china so no time to try.

Thanks ................

Please check your system with rkhunter to see if or which rootkits are installed. as the scripts run all as www-data user, most likely just one website is affected and not the whole server. So it might be possible to fix the problem by just cleaning one website.

Install htop to see path of running process.

Hi Erosbk,

Thanks a lot for suggestion

I have installed htop and used it. that process is just appeared as mail not any other path.

Hi Till,

Thanks for suggestion

I have never used rkhunter going to take look in it.

how ever currently I have not published and third party website. and none of my website have so much trafic. there are approx 10 website total.

Which php mode do you use in your websites? Is suexec enabled in the websites?

login on the shell as root user, then run:

rkhunter --update

and then

rkhunter -c

Most website using fast-cgi. there is no option for suexec.

Here is the result of rkhunter -c

[20:12:27] Running Rootkit Hunter version 1.3.6 on server1
[20:12:28]
[20:12:28] Info: Start date is Fri Jul 22 20:12:27 CST 2011
[20:12:28]
[20:12:28] Checking configuration file and command-line options...
[20:12:28] Info: Detected operating system is 'Linux'
[20:12:28] Info: Found O/S name: Ubuntu 11.04
[20:12:28] Info: Command line is /usr/bin/rkhunter -c
[20:12:28] Info: Environment shell is /bin/bash; rkhunter is using bash
[20:12:28] Info: Using configuration file '/etc/rkhunter.conf'
[20:12:28] Info: Installation directory is '/usr'
[20:12:28] Info: Using language 'en'
[20:12:28] Info: Using '/var/lib/rkhunter/db' as the database directory
[20:12:29] Info: Using '/usr/share/rkhunter/scripts' as the support script directory
[20:12:29] Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /usr/X11R6/bin /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[20:12:29] Info: Using '/' as the root directory by default
[20:12:29] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[20:12:29] Info: No mail-on-warning address configured
[20:12:29] Info: X will be automatically detected
[20:12:29] Info: Found the 'basename' command: /usr/bin/basename
[20:12:29] Info: Found the 'diff' command: /usr/bin/diff
[20:12:29] Info: Found the 'dirname' command: /usr/bin/dirname
[20:12:30] Info: Found the 'file' command: /usr/bin/file
[20:12:30] Info: Found the 'find' command: /usr/bin/find
[20:12:30] Info: Found the 'ifconfig' command: /sbin/ifconfig
[20:12:30] Info: Found the 'ip' command: /sbin/ip
[20:12:30] Info: Found the 'ldd' command: /usr/bin/ldd
[20:12:30] Info: Found the 'lsattr' command: /usr/bin/lsattr
[20:12:30] Info: Found the 'lsmod' command: /sbin/lsmod
[20:12:30] Info: Found the 'lsof' command: /usr/bin/lsof
[20:12:30] Info: Found the 'mktemp' command: /bin/mktemp
[20:12:31] Info: Found the 'netstat' command: /bin/netstat
[20:12:31] Info: Found the 'perl' command: /usr/bin/perl
[20:12:31] Info: Found the 'pgrep' command: /usr/bin/pgrep
[20:12:31] Info: Found the 'ps' command: /bin/ps
[20:12:31] Info: Found the 'pwd' command: /bin/pwd
[20:12:31] Info: Found the 'readlink' command: /bin/readlink
[20:12:31] Info: Found the 'sort' command: /usr/bin/sort
[20:12:31] Info: Found the 'stat' command: /usr/bin/stat
[20:12:31] Info: Found the 'strings' command: /usr/bin/strings
[20:12:32] Info: Found the 'uniq' command: /usr/bin/uniq
[20:12:32] Info: System is not using prelinking
[20:12:32] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[20:12:32] Info: Stored hash values used hash function '/usr/bin/sha1sum'
[20:12:32] Info: Stored hash values did not use a package manager
[20:12:32] Info: The hash function field index is set to 1
[20:12:32] Info: No package manager specified: using hash function '/usr/bin/sha1sum'
[20:12:32] Info: Previous file attributes were stored
[20:12:32] Info: Enabled tests are: all
[20:12:33] Info: Disabled tests are: suspscan hidden_procs deleted_files packet_cap_apps apps
[20:12:33] Info: Found ksym file '/proc/kallsyms'
[20:12:33] Info: Using 'date' to process epoch second times.
[20:12:33]
[20:12:33] Checking if the O/S has changed since last time...
[20:12:33] Info: Nothing seems to have changed
[20:12:33] Info: Locking is not being used
[20:12:34]
[20:12:34] Starting system checks...
[20:12:34]
[20:12:34] Checking system commands...
[20:12:34] Info: Starting test name 'system_commands'
[20:12:34]
[20:12:34] Performing 'strings' command checks
[20:12:34] Info: Starting test name 'strings'
[20:12:34] Scanning for string /usr/sbin/ntpsx [ OK ]
[20:12:35] Scanning for string /usr/sbin/.../bkit-ava [ OK ]
[20:12:35] Scanning for string /usr/sbin/.../bkit-d [ OK ]
[20:12:35] Scanning for string /usr/sbin/.../bkit-shd [ OK ]
[20:12:35] Scanning for string /usr/sbin/.../bkit-f [ OK ]
[20:12:35] Scanning for string /usr/include/.../proc.h [ OK ]
[20:12:36] Scanning for string /usr/include/.../.bash_history [ OK ]
[20:12:36] Scanning for string /usr/include/.../bkit-get [ OK ]
[20:12:36] Scanning for string /usr/include/.../bkit-dl [ OK ]
[20:12:36] Scanning for string /usr/include/.../bkit-screen [ OK ]
[20:12:36] Scanning for string /usr/include/.../bkit-sleep [ OK ]
[20:12:37] Scanning for string /usr/lib/.../bkit-adore.o [ OK ]
[20:12:37] Scanning for string /usr/lib/.../ls [ OK ]
[20:12:37] Scanning for string /usr/lib/.../netstat [ OK ]
[20:12:37] Scanning for string /usr/lib/.../lsof [ OK ]
[20:12:37] Scanning for string /usr/lib/.../bkit-ssh/bkit-shdcfg [ OK ]
[20:12:38] Scanning for string /usr/lib/.../bkit-ssh/bkit-shhk [ OK ]
[20:12:38] Scanning for string /usr/lib/.../bkit-ssh/bkit-pw [ OK ]
[20:12:38] Scanning for string /usr/lib/.../bkit-ssh/bkit-shrs [ OK ]
[20:12:38] Scanning for string /usr/lib/.../bkit-ssh/bkit-mots [ OK ]
[20:12:38] Scanning for string /usr/lib/.../uconf.inv [ OK ]
[20:12:39] Scanning for string /usr/lib/.../psr [ OK ]
[20:12:39] Scanning for string /usr/lib/.../find [ OK ]
[20:12:39] Scanning for string /usr/lib/.../pstree [ OK ]
[20:12:39] Scanning for string /usr/lib/.../slocate [ OK ]
[20:12:39] Scanning for string /usr/lib/.../du [ OK ]
[20:12:40] Scanning for string /usr/lib/.../top [ OK ]
[20:12:40] Scanning for string /usr/sbin/... [ OK ]
[20:12:40] Scanning for string /usr/include/... [ OK ]
[20:12:40] Scanning for string /usr/include/.../.tmp [ OK ]
[20:12:40] Scanning for string /usr/lib/... [ OK ]
[20:12:41] Scanning for string /usr/lib/.../.ssh [ OK ]
[20:12:41] Scanning for string /usr/lib/.../bkit-ssh [ OK ]
[20:12:41] Scanning for string /usr/lib/.bkit- [ OK ]
[20:12:41] Scanning for string /tmp/.bkp [ OK ]
[20:12:41] Scanning for string /tmp/.cinik [ OK ]
[20:12:42] Scanning for string /tmp/.font-unix/.cinik [ OK ]
[20:12:42] Scanning for string /lib/.sso [ OK ]
[20:12:42] Scanning for string /lib/.so [ OK ]
[20:12:42] Scanning for string /var/run/...dica/clean [ OK ]
[20:12:42] Scanning for string /var/run/...dica/dxr [ OK ]
[20:12:42] Scanning for string /var/run/...dica/read [ OK ]
[20:12:43] Scanning for string /var/run/...dica/write [ OK ]
[20:12:43] Scanning for string /var/run/...dica/lf [ OK ]
[20:12:43] Scanning for string /var/run/...dica/xl [ OK ]
[20:12:43] Scanning for string /var/run/...dica/xdr [ OK ]
[20:12:43] Scanning for string /var/run/...dica/psg [ OK ]
[20:12:44] Scanning for string /var/run/...dica/secure [ OK ]
[20:12:44] Scanning for string /var/run/...dica/rdx [ OK ]
[20:12:44] Scanning for string /var/run/...dica/va [ OK ]
[20:12:44] Scanning for string /var/run/...dica/cl.sh [ OK ]
[20:12:44] Scanning for string /var/run/...dica/last.log [ OK ]
[20:12:45] Scanning for string /usr/bin/.etc [ OK ]
[20:12:45] Scanning for string /etc/sshd_config [ OK ]
[20:12:45] Scanning for string /etc/ssh_host_key [ OK ]
[20:12:45] Scanning for string /etc/ssh_random_seed [ OK ]
[20:12:45] Scanning for string /dev/ptyp [ OK ]
[20:12:46] Scanning for string /dev/ptyq [ OK ]
[20:12:46] Scanning for string /dev/ptyr [ OK ]
[20:12:46] Scanning for string /dev/ptys [ OK ]
[20:12:46] Scanning for string /dev/ptyt [ OK ]
[20:12:46] Scanning for string /dev/fd/.88/freshb-bsd [ OK ]
[20:12:47] Scanning for string /dev/fd/.88/fresht [ OK ]
[20:12:47] Scanning for string /dev/fd/.88/zxsniff [ OK ]
[20:12:47] Scanning for string /dev/fd/.88/zxsniff.log [ OK ]
[20:12:47] Scanning for string /dev/fd/.99/.ttyf00 [ OK ]
[20:12:47] Scanning for string /dev/fd/.99/.ttyp00 [ OK ]
[20:12:48] Scanning for string /dev/fd/.99/.ttyq00 [ OK ]
[20:12:48] Scanning for string /dev/fd/.99/.ttys00 [ OK ]
[20:12:48] Scanning for string /dev/fd/.99/.pwsx00 [ OK ]
[20:12:48] Scanning for string /etc/.acid [ OK ]
[20:12:48] Scanning for string /usr/lib/.fx/sched_host.2 [ OK ]
[20:12:49] Scanning for string /usr/lib/.fx/random_d.2 [ OK ]
[20:12:49] Scanning for string /usr/lib/.fx/set_pid.2 [ OK ]
[20:12:49] Scanning for string /usr/lib/.fx/setrgrp.2 [ OK ]