strange process running

Discussion in 'Server Operation' started by rayit, Jan 10, 2008.

  1. rayit

    rayit Member

    www-data 15550 0.0 0.0 1988 728 ? S 16:59 0:00 /usr/local/apache/bin/httpd -DSSL


    Strange thing is I have no /usr/local/apache folder.
    If I stop the process it starts again.
    kill -9 15550

    and it is there again
    www-data 21714 0.0 0.0 1988 728 ? S 17:20 0:00 /usr/local/apache/bin/httpd -DSSL

    Any ideas or suggestions?
    The apache2 works normal...

    many thanks

  2. rayit

    rayit Member

    aha I found somerhing more...


    This looks like some hacking...

    Some advise??


  3. rayit

    rayit Member

    seems solved

    I removed the mambots folder and everything seems nice again..

    I hope...
  4. volksman

    volksman New Member

    I would STRONGLY suggest you run something like rkhunter or chkrootkit and see if it finds more.

    Chances are if there was one door there are others.
  5. rayit

    rayit Member

    thanks.. how to disable cron process

    I checked system with rkhunter and chkrootkit
    I removed all the strange code and searched for other codes with slocate and removed them all.

    Only I am left with this line every minute in the log

    How can I delete the cron job, i can not find it in crontab etc...

    :mad: :mad: :mad: :mad:
    Jan 17 11:38:01 ns1 /USR/SBIN/CRON[31215]: (www-data) CMD (/home/www/web38/web/maurice/mambots/system/ChuCu/y2kupdate >/dev/null 2>&1)

    As soon as I have some time I will switch all the sites to a new box, but that will take some time...

    many thanks

  6. devnull3d

    devnull3d New Member

    run crontab -e and press page down few times perhaps the "hackers" hide their evil cron job few pages down. Or maybe another process is issuing that process.
    Make sure your netstat isn't tampered, better just reinstall net-tools just to be sure. Then run netstat -na and lsof and check for weird listening daemons.
    Also if the hackers got root access they might have reinstalled your sshd with their own modified one. So check the timestamps of /usr/sbin/sshd (please note that timestamps can be modified) if something doesn't feel right, just reinstall sshd as well.
    Check the web applications you're hosting, it is most likely they are the cause for your server to be compromised.
    Don't just rely on chrootkit and rootkithunter.
    Last edited: Jan 17, 2008
  7. rayit

    rayit Member


    Sorry for my late post....many thanks for the help!
    System is running now for weeks without problems..

    I found the file www-data in

    with this content.

    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (cron.d installed on Wed Jan 9 16:44:05 2008)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    * * * * * /home/www/web38/web/maurice/mambots/system/ChuCu/y2kupdate >/dev/null$

    I just removed the file.
    I also removed the content of the mambots...

    Until now everyting seems ok.:)



Share This Page