Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 22nd July 2011, 04:13
piyush piyush is offline
Junior Member
 
Join Date: Jul 2011
Posts: 22
Thanks: 1
Thanked 1 Time in 1 Post
Unhappy is my server hacked ? urgent

Hello All,


Recently I noticed that cpu is fully used by http.pl, httpd.pl, https.pl process.

This is result of top command

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2473 www-data 20 0 36800 6948 1332 R 54 0.7 8:45.96 https.pl
2348 www-data 20 0 38332 7464 1332 R 52 0.7 8:55.28 http.pl
2475 www-data 20 0 36688 6884 1332 R 45 0.7 8:29.28 httpd.pl
2474 www-data 20 0 36952 6948 1332 R 35 0.7 8:37.41 httpd.pl

if I run top -bcis then all http?.pl display as mail.

I try to kill those process with kill 2473 but nothing happen to that process with many attempt the process is still running as 2473 ID


Finally I disconnected my sever from net. I have no idea what should be next.

Any suggestion highly appreciated.
Reply With Quote
Sponsored Links
  #2  
Old 22nd July 2011, 12:17
piyush piyush is offline
Junior Member
 
Join Date: Jul 2011
Posts: 22
Thanks: 1
Thanked 1 Time in 1 Post
Default

I think I am dead.

No one have as such experience of http.pl (mail) process consuming full cpu ?

The strange thing is I search my all pc and can't find any file named http.pl or any command name mail.


I think I should buy another hosting and transfer files to there.

Tomorrow I have to fly to china so no time to try.

Thanks ................
Reply With Quote
  #3  
Old 22nd July 2011, 13:17
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,509
Thanks: 815
Thanked 5,268 Times in 4,130 Posts
Default

Please check your system with rkhunter to see if or which rootkits are installed. as the scripts run all as www-data user, most likely just one website is affected and not the whole server. So it might be possible to fix the problem by just cleaning one website.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 22nd July 2011, 13:34
erosbk erosbk is offline
Senior Member
 
Join Date: Mar 2011
Posts: 337
Thanks: 49
Thanked 36 Times in 30 Posts
Default

Install htop to see path of running process.
Reply With Quote
  #5  
Old 22nd July 2011, 13:43
piyush piyush is offline
Junior Member
 
Join Date: Jul 2011
Posts: 22
Thanks: 1
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by erosbk View Post
Install htop to see path of running process.
Hi Erosbk,

Thanks a lot for suggestion

I have installed htop and used it. that process is just appeared as mail not any other path.
Reply With Quote
  #6  
Old 22nd July 2011, 13:46
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,509
Thanks: 815
Thanked 5,268 Times in 4,130 Posts
Default

Which php mode do you use in your websites? Is suexec enabled in the websites?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 22nd July 2011, 13:46
piyush piyush is offline
Junior Member
 
Join Date: Jul 2011
Posts: 22
Thanks: 1
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by till View Post
Please check your system with rkhunter to see if or which rootkits are installed. as the scripts run all as www-data user, most likely just one website is affected and not the whole server. So it might be possible to fix the problem by just cleaning one website.

Hi Till,

Thanks for suggestion

I have never used rkhunter going to take look in it.

how ever currently I have not published and third party website. and none of my website have so much trafic. there are approx 10 website total.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail -Ubuntu 8.04 c4rdinal HOWTO-Related Questions 112 23rd August 2011 10:49
ISPConfig3 mail doesn't work Marr General 6 1st September 2010 09:32
I don't recieve mail. privir Installation/Configuration 2 3rd June 2009 22:08
Connection dropped by IMAP server gublym Server Operation 5 23rd January 2009 09:47
Webmail Relay Error palkat General 17 23rd April 2006 18:12


All times are GMT +2. The time now is 03:45.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.