#1  
Old 10th January 2008, 17:22
rayit rayit is offline
Member
 
Join Date: Nov 2005
Posts: 93
Thanks: 0
Thanked 2 Times in 2 Posts
Default strange process running

www-data 15550 0.0 0.0 1988 728 ? S 16:59 0:00 /usr/local/apache/bin/httpd -DSSL



Strange thing is I have no /usr/local/apache folder.
If I stop the process it starts again.
kill -9 15550

and it is there again
www-data 21714 0.0 0.0 1988 728 ? S 17:20 0:00 /usr/local/apache/bin/httpd -DSSL


Any ideas or suggestions?
The apache2 works normal...

many thanks

Raymond
RaYIT
Reply With Quote
Sponsored Links
  #2  
Old 10th January 2008, 17:25
rayit rayit is offline
Member
 
Join Date: Nov 2005
Posts: 93
Thanks: 0
Thanked 2 Times in 2 Posts
Default aha I found somerhing more...

/home/www/web38/web/maurice/mambots/editors/tinymce/jscripts/tiny_mce/plugins/advimage/jscripts/AhoK/httpd
/home/www/web38/web/maurice/mambots/system/ChuCu/httpd


This looks like some hacking...

Some advise??

thanks

Raymond
RayIT
Reply With Quote
  #3  
Old 10th January 2008, 23:18
rayit rayit is offline
Member
 
Join Date: Nov 2005
Posts: 93
Thanks: 0
Thanked 2 Times in 2 Posts
Default seems solved

I removed the mambots folder and everything seems nice again..


I hope...
Reply With Quote
  #4  
Old 11th January 2008, 03:38
volksman volksman is offline
Senior Member
 
Join Date: May 2007
Posts: 124
Thanks: 2
Thanked 16 Times in 14 Posts
Default

I would STRONGLY suggest you run something like rkhunter or chkrootkit and see if it finds more.

Chances are if there was one door there are others.
Reply With Quote
  #5  
Old 17th January 2008, 11:44
rayit rayit is offline
Member
 
Join Date: Nov 2005
Posts: 93
Thanks: 0
Thanked 2 Times in 2 Posts
Question thanks.. how to disable cron process

I checked system with rkhunter and chkrootkit
I removed all the strange code and searched for other codes with slocate and removed them all.

Only I am left with this line every minute in the log

How can I delete the cron job, i can not find it in crontab etc...



Jan 17 11:38:01 ns1 /USR/SBIN/CRON[31215]: (www-data) CMD (/home/www/web38/web/maurice/mambots/system/ChuCu/y2kupdate >/dev/null 2>&1)

As soon as I have some time I will switch all the sites to a new box, but that will take some time...

many thanks

raymond
Reply With Quote
  #6  
Old 17th January 2008, 12:04
devnull3d devnull3d is offline
Junior Member
 
Join Date: Jan 2008
Posts: 15
Thanks: 0
Thanked 0 Times in 0 Posts
Default

run crontab -e and press page down few times perhaps the "hackers" hide their evil cron job few pages down. Or maybe another process is issuing that process.
Make sure your netstat isn't tampered, better just reinstall net-tools just to be sure. Then run netstat -na and lsof and check for weird listening daemons.
Also if the hackers got root access they might have reinstalled your sshd with their own modified one. So check the timestamps of /usr/sbin/sshd (please note that timestamps can be modified) if something doesn't feel right, just reinstall sshd as well.
Check the web applications you're hosting, it is most likely they are the cause for your server to be compromised.
Don't just rely on chrootkit and rootkithunter.

Last edited by devnull3d; 17th January 2008 at 12:09.
Reply With Quote
  #7  
Old 14th July 2008, 23:26
rayit rayit is offline
Member
 
Join Date: Nov 2005
Posts: 93
Thanks: 0
Thanked 2 Times in 2 Posts
 
Default solved..?

Sorry for my late post....many thanks for the help!
System is running now for weeks without problems..

I found the file www-data in
/var/spool/cron/crontabs/www-data

with this content.

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (cron.d installed on Wed Jan 9 16:44:05 2008)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
* * * * * /home/www/web38/web/maurice/mambots/system/ChuCu/y2kupdate >/dev/null$

I just removed the file.
I also removed the content of the mambots...

Until now everyting seems ok.

greets

Raymond
RayIT
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fedora 4 TPS mail problem Hagforce HOWTO-Related Questions 13 10th February 2010 18:23
Problems with my 'Perfect Server' chillifire Server Operation 3 6th January 2010 12:26
Two named processes running atjensen11 Server Operation 11 21st December 2007 05:35
Apache stopped mccharlet General 6 15th August 2007 15:27
WARNING: services not running MicCo Installation/Configuration 31 4th September 2006 12:16


All times are GMT +2. The time now is 11:45.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.