Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 22nd July 2011, 05:13
piyush piyush is offline
Junior Member
 
Join Date: Jul 2011
Posts: 22
Thanks: 1
Thanked 1 Time in 1 Post
Unhappy is my server hacked ? urgent

Hello All,


Recently I noticed that cpu is fully used by http.pl, httpd.pl, https.pl process.

This is result of top command

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2473 www-data 20 0 36800 6948 1332 R 54 0.7 8:45.96 https.pl
2348 www-data 20 0 38332 7464 1332 R 52 0.7 8:55.28 http.pl
2475 www-data 20 0 36688 6884 1332 R 45 0.7 8:29.28 httpd.pl
2474 www-data 20 0 36952 6948 1332 R 35 0.7 8:37.41 httpd.pl

if I run top -bcis then all http?.pl display as mail.

I try to kill those process with kill 2473 but nothing happen to that process with many attempt the process is still running as 2473 ID


Finally I disconnected my sever from net. I have no idea what should be next.

Any suggestion highly appreciated.
Reply With Quote
Sponsored Links
  #2  
Old 22nd July 2011, 13:17
piyush piyush is offline
Junior Member
 
Join Date: Jul 2011
Posts: 22
Thanks: 1
Thanked 1 Time in 1 Post
Default

I think I am dead.

No one have as such experience of http.pl (mail) process consuming full cpu ?

The strange thing is I search my all pc and can't find any file named http.pl or any command name mail.


I think I should buy another hosting and transfer files to there.

Tomorrow I have to fly to china so no time to try.

Thanks ................
Reply With Quote
  #3  
Old 22nd July 2011, 14:17
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,794
Thanks: 840
Thanked 5,612 Times in 4,423 Posts
Default

Please check your system with rkhunter to see if or which rootkits are installed. as the scripts run all as www-data user, most likely just one website is affected and not the whole server. So it might be possible to fix the problem by just cleaning one website.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 22nd July 2011, 14:34
erosbk erosbk is offline
Senior Member
 
Join Date: Mar 2011
Posts: 337
Thanks: 49
Thanked 36 Times in 30 Posts
Default

Install htop to see path of running process.
Reply With Quote
  #5  
Old 22nd July 2011, 14:43
piyush piyush is offline
Junior Member
 
Join Date: Jul 2011
Posts: 22
Thanks: 1
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by erosbk View Post
Install htop to see path of running process.
Hi Erosbk,

Thanks a lot for suggestion

I have installed htop and used it. that process is just appeared as mail not any other path.
Reply With Quote
  #6  
Old 22nd July 2011, 14:46
piyush piyush is offline
Junior Member
 
Join Date: Jul 2011
Posts: 22
Thanks: 1
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by till View Post
Please check your system with rkhunter to see if or which rootkits are installed. as the scripts run all as www-data user, most likely just one website is affected and not the whole server. So it might be possible to fix the problem by just cleaning one website.

Hi Till,

Thanks for suggestion

I have never used rkhunter going to take look in it.

how ever currently I have not published and third party website. and none of my website have so much trafic. there are approx 10 website total.
Reply With Quote
  #7  
Old 22nd July 2011, 14:46
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,794
Thanks: 840
Thanked 5,612 Times in 4,423 Posts
Default

Which php mode do you use in your websites? Is suexec enabled in the websites?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 22nd July 2011, 14:47
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,794
Thanks: 840
Thanked 5,612 Times in 4,423 Posts
Default

Quote:
I have never used rkhunter going to take look in it.
login on the shell as root user, then run:

rkhunter --update

and then

rkhunter -c
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #9  
Old 22nd July 2011, 15:10
piyush piyush is offline
Junior Member
 
Join Date: Jul 2011
Posts: 22
Thanks: 1
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by till View Post
Which php mode do you use in your websites? Is suexec enabled in the websites?
Most website using fast-cgi. there is no option for suexec.
Reply With Quote
  #10  
Old 22nd July 2011, 15:21
piyush piyush is offline
Junior Member
 
Join Date: Jul 2011
Posts: 22
Thanks: 1
Thanked 1 Time in 1 Post
 
Default

Here is the result of rkhunter -c

[20:12:27] Running Rootkit Hunter version 1.3.6 on server1
[20:12:28]
[20:12:28] Info: Start date is Fri Jul 22 20:12:27 CST 2011
[20:12:28]
[20:12:28] Checking configuration file and command-line options...
[20:12:28] Info: Detected operating system is 'Linux'
[20:12:28] Info: Found O/S name: Ubuntu 11.04
[20:12:28] Info: Command line is /usr/bin/rkhunter -c
[20:12:28] Info: Environment shell is /bin/bash; rkhunter is using bash
[20:12:28] Info: Using configuration file '/etc/rkhunter.conf'
[20:12:28] Info: Installation directory is '/usr'
[20:12:28] Info: Using language 'en'
[20:12:28] Info: Using '/var/lib/rkhunter/db' as the database directory
[20:12:29] Info: Using '/usr/share/rkhunter/scripts' as the support script directory
[20:12:29] Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /usr/X11R6/bin /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[20:12:29] Info: Using '/' as the root directory by default
[20:12:29] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[20:12:29] Info: No mail-on-warning address configured
[20:12:29] Info: X will be automatically detected
[20:12:29] Info: Found the 'basename' command: /usr/bin/basename
[20:12:29] Info: Found the 'diff' command: /usr/bin/diff
[20:12:29] Info: Found the 'dirname' command: /usr/bin/dirname
[20:12:30] Info: Found the 'file' command: /usr/bin/file
[20:12:30] Info: Found the 'find' command: /usr/bin/find
[20:12:30] Info: Found the 'ifconfig' command: /sbin/ifconfig
[20:12:30] Info: Found the 'ip' command: /sbin/ip
[20:12:30] Info: Found the 'ldd' command: /usr/bin/ldd
[20:12:30] Info: Found the 'lsattr' command: /usr/bin/lsattr
[20:12:30] Info: Found the 'lsmod' command: /sbin/lsmod
[20:12:30] Info: Found the 'lsof' command: /usr/bin/lsof
[20:12:30] Info: Found the 'mktemp' command: /bin/mktemp
[20:12:31] Info: Found the 'netstat' command: /bin/netstat
[20:12:31] Info: Found the 'perl' command: /usr/bin/perl
[20:12:31] Info: Found the 'pgrep' command: /usr/bin/pgrep
[20:12:31] Info: Found the 'ps' command: /bin/ps
[20:12:31] Info: Found the 'pwd' command: /bin/pwd
[20:12:31] Info: Found the 'readlink' command: /bin/readlink
[20:12:31] Info: Found the 'sort' command: /usr/bin/sort
[20:12:31] Info: Found the 'stat' command: /usr/bin/stat
[20:12:31] Info: Found the 'strings' command: /usr/bin/strings
[20:12:32] Info: Found the 'uniq' command: /usr/bin/uniq
[20:12:32] Info: System is not using prelinking
[20:12:32] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[20:12:32] Info: Stored hash values used hash function '/usr/bin/sha1sum'
[20:12:32] Info: Stored hash values did not use a package manager
[20:12:32] Info: The hash function field index is set to 1
[20:12:32] Info: No package manager specified: using hash function '/usr/bin/sha1sum'
[20:12:32] Info: Previous file attributes were stored
[20:12:32] Info: Enabled tests are: all
[20:12:33] Info: Disabled tests are: suspscan hidden_procs deleted_files packet_cap_apps apps
[20:12:33] Info: Found ksym file '/proc/kallsyms'
[20:12:33] Info: Using 'date' to process epoch second times.
[20:12:33]
[20:12:33] Checking if the O/S has changed since last time...
[20:12:33] Info: Nothing seems to have changed
[20:12:33] Info: Locking is not being used
[20:12:34]
[20:12:34] Starting system checks...
[20:12:34]
[20:12:34] Checking system commands...
[20:12:34] Info: Starting test name 'system_commands'
[20:12:34]
[20:12:34] Performing 'strings' command checks
[20:12:34] Info: Starting test name 'strings'
[20:12:34] Scanning for string /usr/sbin/ntpsx [ OK ]
[20:12:35] Scanning for string /usr/sbin/.../bkit-ava [ OK ]
[20:12:35] Scanning for string /usr/sbin/.../bkit-d [ OK ]
[20:12:35] Scanning for string /usr/sbin/.../bkit-shd [ OK ]
[20:12:35] Scanning for string /usr/sbin/.../bkit-f [ OK ]
[20:12:35] Scanning for string /usr/include/.../proc.h [ OK ]
[20:12:36] Scanning for string /usr/include/.../.bash_history [ OK ]
[20:12:36] Scanning for string /usr/include/.../bkit-get [ OK ]
[20:12:36] Scanning for string /usr/include/.../bkit-dl [ OK ]
[20:12:36] Scanning for string /usr/include/.../bkit-screen [ OK ]
[20:12:36] Scanning for string /usr/include/.../bkit-sleep [ OK ]
[20:12:37] Scanning for string /usr/lib/.../bkit-adore.o [ OK ]
[20:12:37] Scanning for string /usr/lib/.../ls [ OK ]
[20:12:37] Scanning for string /usr/lib/.../netstat [ OK ]
[20:12:37] Scanning for string /usr/lib/.../lsof [ OK ]
[20:12:37] Scanning for string /usr/lib/.../bkit-ssh/bkit-shdcfg [ OK ]
[20:12:38] Scanning for string /usr/lib/.../bkit-ssh/bkit-shhk [ OK ]
[20:12:38] Scanning for string /usr/lib/.../bkit-ssh/bkit-pw [ OK ]
[20:12:38] Scanning for string /usr/lib/.../bkit-ssh/bkit-shrs [ OK ]
[20:12:38] Scanning for string /usr/lib/.../bkit-ssh/bkit-mots [ OK ]
[20:12:38] Scanning for string /usr/lib/.../uconf.inv [ OK ]
[20:12:39] Scanning for string /usr/lib/.../psr [ OK ]
[20:12:39] Scanning for string /usr/lib/.../find [ OK ]
[20:12:39] Scanning for string /usr/lib/.../pstree [ OK ]
[20:12:39] Scanning for string /usr/lib/.../slocate [ OK ]
[20:12:39] Scanning for string /usr/lib/.../du [ OK ]
[20:12:40] Scanning for string /usr/lib/.../top [ OK ]
[20:12:40] Scanning for string /usr/sbin/... [ OK ]
[20:12:40] Scanning for string /usr/include/... [ OK ]
[20:12:40] Scanning for string /usr/include/.../.tmp [ OK ]
[20:12:40] Scanning for string /usr/lib/... [ OK ]
[20:12:41] Scanning for string /usr/lib/.../.ssh [ OK ]
[20:12:41] Scanning for string /usr/lib/.../bkit-ssh [ OK ]
[20:12:41] Scanning for string /usr/lib/.bkit- [ OK ]
[20:12:41] Scanning for string /tmp/.bkp [ OK ]
[20:12:41] Scanning for string /tmp/.cinik [ OK ]
[20:12:42] Scanning for string /tmp/.font-unix/.cinik [ OK ]
[20:12:42] Scanning for string /lib/.sso [ OK ]
[20:12:42] Scanning for string /lib/.so [ OK ]
[20:12:42] Scanning for string /var/run/...dica/clean [ OK ]
[20:12:42] Scanning for string /var/run/...dica/dxr [ OK ]
[20:12:42] Scanning for string /var/run/...dica/read [ OK ]
[20:12:43] Scanning for string /var/run/...dica/write [ OK ]
[20:12:43] Scanning for string /var/run/...dica/lf [ OK ]
[20:12:43] Scanning for string /var/run/...dica/xl [ OK ]
[20:12:43] Scanning for string /var/run/...dica/xdr [ OK ]
[20:12:43] Scanning for string /var/run/...dica/psg [ OK ]
[20:12:44] Scanning for string /var/run/...dica/secure [ OK ]
[20:12:44] Scanning for string /var/run/...dica/rdx [ OK ]
[20:12:44] Scanning for string /var/run/...dica/va [ OK ]
[20:12:44] Scanning for string /var/run/...dica/cl.sh [ OK ]
[20:12:44] Scanning for string /var/run/...dica/last.log [ OK ]
[20:12:45] Scanning for string /usr/bin/.etc [ OK ]
[20:12:45] Scanning for string /etc/sshd_config [ OK ]
[20:12:45] Scanning for string /etc/ssh_host_key [ OK ]
[20:12:45] Scanning for string /etc/ssh_random_seed [ OK ]
[20:12:45] Scanning for string /dev/ptyp [ OK ]
[20:12:46] Scanning for string /dev/ptyq [ OK ]
[20:12:46] Scanning for string /dev/ptyr [ OK ]
[20:12:46] Scanning for string /dev/ptys [ OK ]
[20:12:46] Scanning for string /dev/ptyt [ OK ]
[20:12:46] Scanning for string /dev/fd/.88/freshb-bsd [ OK ]
[20:12:47] Scanning for string /dev/fd/.88/fresht [ OK ]
[20:12:47] Scanning for string /dev/fd/.88/zxsniff [ OK ]
[20:12:47] Scanning for string /dev/fd/.88/zxsniff.log [ OK ]
[20:12:47] Scanning for string /dev/fd/.99/.ttyf00 [ OK ]
[20:12:47] Scanning for string /dev/fd/.99/.ttyp00 [ OK ]
[20:12:48] Scanning for string /dev/fd/.99/.ttyq00 [ OK ]
[20:12:48] Scanning for string /dev/fd/.99/.ttys00 [ OK ]
[20:12:48] Scanning for string /dev/fd/.99/.pwsx00 [ OK ]
[20:12:48] Scanning for string /etc/.acid [ OK ]
[20:12:48] Scanning for string /usr/lib/.fx/sched_host.2 [ OK ]
[20:12:49] Scanning for string /usr/lib/.fx/random_d.2 [ OK ]
[20:12:49] Scanning for string /usr/lib/.fx/set_pid.2 [ OK ]
[20:12:49] Scanning for string /usr/lib/.fx/setrgrp.2 [ OK ]
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail -Ubuntu 8.04 c4rdinal HOWTO-Related Questions 112 23rd August 2011 11:49
ISPConfig3 mail doesn't work Marr General 6 1st September 2010 10:32
I don't recieve mail. privir Installation/Configuration 2 3rd June 2009 23:08
Connection dropped by IMAP server gublym Server Operation 5 23rd January 2009 10:47
Webmail Relay Error palkat General 17 23rd April 2006 19:12


All times are GMT +2. The time now is 17:03.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.