Re: Am I Compromised -- More information
From: Steve Block (scblock_at_ev-15.com)
Date: 11/28/05
- Previous message: Tshepang Lekhonkhobe: "What's that displayed on 'top'?"
- In reply to: Ritesh Raj Sarraf: "Am I Compromised -- More information"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 28 Nov 2005 08:15:06 -0600 To: debian-user@lists.debian.org
On Fri, Nov 25, 2005 at 09:32:43PM +0530, Ritesh Raj Sarraf wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Even after I stop my webserver, I get the perl process to be chewing up 99%
>of my cpu cycles.
>
>top - 07:58:28 up 3 days, 8:26, 1 user, load average: 0.96, 1.04, 1.17
>Tasks: 56 total, 3 running, 53 sleeping, 0 stopped, 0 zombie
>Cpu(s): 84.0% us, 16.0% sy, 0.0% ni, 0.0% id, 0.0% wa, 0.0% hi, 0.0% si
>Mem: 516156k total, 477684k used, 38472k free, 97492k buffers
>Swap: 979924k total, 0k used, 979924k free, 127688k cached
>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
>28390 www-data 25 0 5760 3812 3444 R 99.4 0.7 48:18.85 perl
> 1 root 16 0 1504 512 1352 S 0.0 0.1 0:00.52 init
> 2 root 34 19 0 0 0 S 0.0 0.0 0:00.00 ksoftirqd/0
> 3 root 5 -10 0 0 0 S 0.0 0.0 0:02.24 events/0
> 4 root 15 -10 0 0 0 S 0.0 0.0 0:00.00 khelper
> 5 root 15 -10 0 0 0 S 0.0 0.0 0:00.00 kacpid
> 41 root 5 -10 0 0 0 S 0.0 0.0 0:02.08 kblockd/0
> 51 root 15 0 0 0 0 S 0.0 0.0 0:00.00 pdflush
> 52 root 15 0 0 0 0 S 0.0 0.0 0:01.19 pdflush
> 54 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 aio/0
> 53 root 15 0 0 0 0 S 0.0 0.0 0:05.39 kswapd0
> 190 root 25 0 0 0 0 S 0.0 0.0 0:00.00 kseriod
>
>
>But `pstree` says there's no apache2 running and that's right:
>
>ns1:/etc/cron.d# pstree
>init???atd
> ??cron
> ??events/0???aio/0
> ? ??kacpid
> ? ??kblockd/0
> ? ??khelper
> ? ??2*[pdflush]
>
>
>But `ps aux | grep -i www-data` results in the following:
>
>ns1:/etc/cron.d# ps aux | grep www-data
>www-data 28390 43.8 0.7 5760 3812 ? R 06:08
>48:27 /usr/sbin/httpd
>root 1550 0.0 0.0 1548 476 pts/0 R+ 07:58 0:00 grep www-data
>
>
>
>If there's no /usr/sbin/httpd, how is the process running ?
httpd is the parent process of that perl process that is eating all of
your processor. If you kill the perl process I think you'll find that
httpd is no longer running anywhere.
As to are you compromised, probably, but since www-data is a limited
account the damage should be limited to world writeable directories such
as /tmp and /var/tmp unless a local compromise was used to gain higher
level access.
The likely culprit here is not apache itself, but a vulnerable script,
such as an older version of the php xmlrpc script. Are you running any
php based content management systems such as drupal?
-- Steve Block http://ev-15.com/ http://steveblock.com/ scblock@ev-15.com -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
- Previous message: Tshepang Lekhonkhobe: "What's that displayed on 'top'?"
- In reply to: Ritesh Raj Sarraf: "Am I Compromised -- More information"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
