HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   is my server hacked ? urgent (http://www.howtoforge.com/forums/showthread.php?t=53498)

piyush 22nd July 2011 04:13

is my server hacked ? urgent
 
Hello All,


Recently I noticed that cpu is fully used by http.pl, httpd.pl, https.pl process.

This is result of top command

:confused:PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2473 www-data 20 0 36800 6948 1332 R 54 0.7 8:45.96 https.pl
2348 www-data 20 0 38332 7464 1332 R 52 0.7 8:55.28 http.pl
2475 www-data 20 0 36688 6884 1332 R 45 0.7 8:29.28 httpd.pl
2474 www-data 20 0 36952 6948 1332 R 35 0.7 8:37.41 httpd.pl

if I run top -bcis then all http?.pl display as mail.

I try to kill those process with kill 2473 but nothing happen to that process with many attempt the process is still running as 2473 ID


Finally I disconnected my sever from net. I have no idea what should be next.

Any suggestion highly appreciated.

piyush 22nd July 2011 12:17

I think I am dead.

No one have as such experience of http.pl (mail) process consuming full cpu ?

The strange thing is I search my all pc and can't find any file named http.pl or any command name mail.


I think I should buy another hosting and transfer files to there.

Tomorrow I have to fly to china so no time to try.

Thanks ................

till 22nd July 2011 13:17

Please check your system with rkhunter to see if or which rootkits are installed. as the scripts run all as www-data user, most likely just one website is affected and not the whole server. So it might be possible to fix the problem by just cleaning one website.

erosbk 22nd July 2011 13:34

Install htop to see path of running process.

piyush 22nd July 2011 13:43

Quote:

Originally Posted by erosbk (Post 260196)
Install htop to see path of running process.

Hi Erosbk,

Thanks a lot for suggestion

I have installed htop and used it. that process is just appeared as mail not any other path.

piyush 22nd July 2011 13:46

Quote:

Originally Posted by till (Post 260195)
Please check your system with rkhunter to see if or which rootkits are installed. as the scripts run all as www-data user, most likely just one website is affected and not the whole server. So it might be possible to fix the problem by just cleaning one website.


Hi Till,

Thanks for suggestion

I have never used rkhunter going to take look in it.

how ever currently I have not published and third party website. and none of my website have so much trafic. there are approx 10 website total.

till 22nd July 2011 13:46

Which php mode do you use in your websites? Is suexec enabled in the websites?

till 22nd July 2011 13:47

Quote:

I have never used rkhunter going to take look in it.
login on the shell as root user, then run:

rkhunter --update

and then

rkhunter -c

piyush 22nd July 2011 14:10

Quote:

Originally Posted by till (Post 260199)
Which php mode do you use in your websites? Is suexec enabled in the websites?

Most website using fast-cgi. there is no option for suexec.

piyush 22nd July 2011 14:21

Here is the result of rkhunter -c

[20:12:27] Running Rootkit Hunter version 1.3.6 on server1
[20:12:28]
[20:12:28] Info: Start date is Fri Jul 22 20:12:27 CST 2011
[20:12:28]
[20:12:28] Checking configuration file and command-line options...
[20:12:28] Info: Detected operating system is 'Linux'
[20:12:28] Info: Found O/S name: Ubuntu 11.04
[20:12:28] Info: Command line is /usr/bin/rkhunter -c
[20:12:28] Info: Environment shell is /bin/bash; rkhunter is using bash
[20:12:28] Info: Using configuration file '/etc/rkhunter.conf'
[20:12:28] Info: Installation directory is '/usr'
[20:12:28] Info: Using language 'en'
[20:12:28] Info: Using '/var/lib/rkhunter/db' as the database directory
[20:12:29] Info: Using '/usr/share/rkhunter/scripts' as the support script directory
[20:12:29] Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /usr/X11R6/bin /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[20:12:29] Info: Using '/' as the root directory by default
[20:12:29] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[20:12:29] Info: No mail-on-warning address configured
[20:12:29] Info: X will be automatically detected
[20:12:29] Info: Found the 'basename' command: /usr/bin/basename
[20:12:29] Info: Found the 'diff' command: /usr/bin/diff
[20:12:29] Info: Found the 'dirname' command: /usr/bin/dirname
[20:12:30] Info: Found the 'file' command: /usr/bin/file
[20:12:30] Info: Found the 'find' command: /usr/bin/find
[20:12:30] Info: Found the 'ifconfig' command: /sbin/ifconfig
[20:12:30] Info: Found the 'ip' command: /sbin/ip
[20:12:30] Info: Found the 'ldd' command: /usr/bin/ldd
[20:12:30] Info: Found the 'lsattr' command: /usr/bin/lsattr
[20:12:30] Info: Found the 'lsmod' command: /sbin/lsmod
[20:12:30] Info: Found the 'lsof' command: /usr/bin/lsof
[20:12:30] Info: Found the 'mktemp' command: /bin/mktemp
[20:12:31] Info: Found the 'netstat' command: /bin/netstat
[20:12:31] Info: Found the 'perl' command: /usr/bin/perl
[20:12:31] Info: Found the 'pgrep' command: /usr/bin/pgrep
[20:12:31] Info: Found the 'ps' command: /bin/ps
[20:12:31] Info: Found the 'pwd' command: /bin/pwd
[20:12:31] Info: Found the 'readlink' command: /bin/readlink
[20:12:31] Info: Found the 'sort' command: /usr/bin/sort
[20:12:31] Info: Found the 'stat' command: /usr/bin/stat
[20:12:31] Info: Found the 'strings' command: /usr/bin/strings
[20:12:32] Info: Found the 'uniq' command: /usr/bin/uniq
[20:12:32] Info: System is not using prelinking
[20:12:32] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[20:12:32] Info: Stored hash values used hash function '/usr/bin/sha1sum'
[20:12:32] Info: Stored hash values did not use a package manager
[20:12:32] Info: The hash function field index is set to 1
[20:12:32] Info: No package manager specified: using hash function '/usr/bin/sha1sum'
[20:12:32] Info: Previous file attributes were stored
[20:12:32] Info: Enabled tests are: all
[20:12:33] Info: Disabled tests are: suspscan hidden_procs deleted_files packet_cap_apps apps
[20:12:33] Info: Found ksym file '/proc/kallsyms'
[20:12:33] Info: Using 'date' to process epoch second times.
[20:12:33]
[20:12:33] Checking if the O/S has changed since last time...
[20:12:33] Info: Nothing seems to have changed
[20:12:33] Info: Locking is not being used
[20:12:34]
[20:12:34] Starting system checks...
[20:12:34]
[20:12:34] Checking system commands...
[20:12:34] Info: Starting test name 'system_commands'
[20:12:34]
[20:12:34] Performing 'strings' command checks
[20:12:34] Info: Starting test name 'strings'
[20:12:34] Scanning for string /usr/sbin/ntpsx [ OK ]
[20:12:35] Scanning for string /usr/sbin/.../bkit-ava [ OK ]
[20:12:35] Scanning for string /usr/sbin/.../bkit-d [ OK ]
[20:12:35] Scanning for string /usr/sbin/.../bkit-shd [ OK ]
[20:12:35] Scanning for string /usr/sbin/.../bkit-f [ OK ]
[20:12:35] Scanning for string /usr/include/.../proc.h [ OK ]
[20:12:36] Scanning for string /usr/include/.../.bash_history [ OK ]
[20:12:36] Scanning for string /usr/include/.../bkit-get [ OK ]
[20:12:36] Scanning for string /usr/include/.../bkit-dl [ OK ]
[20:12:36] Scanning for string /usr/include/.../bkit-screen [ OK ]
[20:12:36] Scanning for string /usr/include/.../bkit-sleep [ OK ]
[20:12:37] Scanning for string /usr/lib/.../bkit-adore.o [ OK ]
[20:12:37] Scanning for string /usr/lib/.../ls [ OK ]
[20:12:37] Scanning for string /usr/lib/.../netstat [ OK ]
[20:12:37] Scanning for string /usr/lib/.../lsof [ OK ]
[20:12:37] Scanning for string /usr/lib/.../bkit-ssh/bkit-shdcfg [ OK ]
[20:12:38] Scanning for string /usr/lib/.../bkit-ssh/bkit-shhk [ OK ]
[20:12:38] Scanning for string /usr/lib/.../bkit-ssh/bkit-pw [ OK ]
[20:12:38] Scanning for string /usr/lib/.../bkit-ssh/bkit-shrs [ OK ]
[20:12:38] Scanning for string /usr/lib/.../bkit-ssh/bkit-mots [ OK ]
[20:12:38] Scanning for string /usr/lib/.../uconf.inv [ OK ]
[20:12:39] Scanning for string /usr/lib/.../psr [ OK ]
[20:12:39] Scanning for string /usr/lib/.../find [ OK ]
[20:12:39] Scanning for string /usr/lib/.../pstree [ OK ]
[20:12:39] Scanning for string /usr/lib/.../slocate [ OK ]
[20:12:39] Scanning for string /usr/lib/.../du [ OK ]
[20:12:40] Scanning for string /usr/lib/.../top [ OK ]
[20:12:40] Scanning for string /usr/sbin/... [ OK ]
[20:12:40] Scanning for string /usr/include/... [ OK ]
[20:12:40] Scanning for string /usr/include/.../.tmp [ OK ]
[20:12:40] Scanning for string /usr/lib/... [ OK ]
[20:12:41] Scanning for string /usr/lib/.../.ssh [ OK ]
[20:12:41] Scanning for string /usr/lib/.../bkit-ssh [ OK ]
[20:12:41] Scanning for string /usr/lib/.bkit- [ OK ]
[20:12:41] Scanning for string /tmp/.bkp [ OK ]
[20:12:41] Scanning for string /tmp/.cinik [ OK ]
[20:12:42] Scanning for string /tmp/.font-unix/.cinik [ OK ]
[20:12:42] Scanning for string /lib/.sso [ OK ]
[20:12:42] Scanning for string /lib/.so [ OK ]
[20:12:42] Scanning for string /var/run/...dica/clean [ OK ]
[20:12:42] Scanning for string /var/run/...dica/dxr [ OK ]
[20:12:42] Scanning for string /var/run/...dica/read [ OK ]
[20:12:43] Scanning for string /var/run/...dica/write [ OK ]
[20:12:43] Scanning for string /var/run/...dica/lf [ OK ]
[20:12:43] Scanning for string /var/run/...dica/xl [ OK ]
[20:12:43] Scanning for string /var/run/...dica/xdr [ OK ]
[20:12:43] Scanning for string /var/run/...dica/psg [ OK ]
[20:12:44] Scanning for string /var/run/...dica/secure [ OK ]
[20:12:44] Scanning for string /var/run/...dica/rdx [ OK ]
[20:12:44] Scanning for string /var/run/...dica/va [ OK ]
[20:12:44] Scanning for string /var/run/...dica/cl.sh [ OK ]
[20:12:44] Scanning for string /var/run/...dica/last.log [ OK ]
[20:12:45] Scanning for string /usr/bin/.etc [ OK ]
[20:12:45] Scanning for string /etc/sshd_config [ OK ]
[20:12:45] Scanning for string /etc/ssh_host_key [ OK ]
[20:12:45] Scanning for string /etc/ssh_random_seed [ OK ]
[20:12:45] Scanning for string /dev/ptyp [ OK ]
[20:12:46] Scanning for string /dev/ptyq [ OK ]
[20:12:46] Scanning for string /dev/ptyr [ OK ]
[20:12:46] Scanning for string /dev/ptys [ OK ]
[20:12:46] Scanning for string /dev/ptyt [ OK ]
[20:12:46] Scanning for string /dev/fd/.88/freshb-bsd [ OK ]
[20:12:47] Scanning for string /dev/fd/.88/fresht [ OK ]
[20:12:47] Scanning for string /dev/fd/.88/zxsniff [ OK ]
[20:12:47] Scanning for string /dev/fd/.88/zxsniff.log [ OK ]
[20:12:47] Scanning for string /dev/fd/.99/.ttyf00 [ OK ]
[20:12:47] Scanning for string /dev/fd/.99/.ttyp00 [ OK ]
[20:12:48] Scanning for string /dev/fd/.99/.ttyq00 [ OK ]
[20:12:48] Scanning for string /dev/fd/.99/.ttys00 [ OK ]
[20:12:48] Scanning for string /dev/fd/.99/.pwsx00 [ OK ]
[20:12:48] Scanning for string /etc/.acid [ OK ]
[20:12:48] Scanning for string /usr/lib/.fx/sched_host.2 [ OK ]
[20:12:49] Scanning for string /usr/lib/.fx/random_d.2 [ OK ]
[20:12:49] Scanning for string /usr/lib/.fx/set_pid.2 [ OK ]
[20:12:49] Scanning for string /usr/lib/.fx/setrgrp.2 [ OK ]


All times are GMT +2. The time now is 19:20.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.