Trojan activity - running perl with high CPU usage, with user apache
Problem :
Running programs named Perl with Heavy CPU usage, with the ownership of user apache.
We found the problem on Fedora 3 and Fedora 6.
In our case, it was the result of a Trojan activity.
Quick Solution
Check the cron jobs of user apache
crontab -u apache -e
*/1 * * * * perl /tmp/.tmp/tmpfile
delete the cronjob entry.
Also delete the file /tmp/.tmp/tmpfile
also added "apache" to the file /etc/cron.deny
That's all
Problem and solution in detail.
Symptoms
***Running the system at very slow speed.
Issued the top command, and found the program named perl is running with the ownership of user apache, and consumes near to 100% CPU. Sometimes, it shows multiple instances of the same program running.
The system acted as a mail bombing source. The sender is apache@ourdomain
The mailq gets clogged very soon. ( postqueue -p )
Tried to catch the executeable of the same
issued the ps -o cmd <pid>
and found the program /usr/bin/web/httpd has been invoked.
But there was no such program on the system
And ensured that it is a hack/exploit.
Tried other commands like
pstree -nap
pidof httpd |wc -w
------instead of giving 9 httpd processes, it shown more than 10.
Then killed the process with
service httpd stop
service httpd stop
( it required to run twice, as the first one stops the genuine httpd service and the second one the hacker's)
Then killed all the programs owned by apeche.
pkill -KILL -u apache
How we got the evidences ?
Updated the clam antivirus, and the postmaster got a virus alert mail from the content filter (Amavis-New). The detectd virus was "Trojan.Perl.Shellbot-2"
Searched for the virus in google, and in McAfee site, there was a description on the attack. And mentioned about the /tmp/.tmp directory, where the Trojan was planted.
We searched for it and found such a directory, and an executeble named tmpfile in it.
We deleted it and, after some time, the postmaster got mail on failed cronjob. In that mail, we got the cronjob enty as "perl /tmp/.tmp/tmpfile" and the user is apache.
Checked the cron jobs of user apache
crontab -u apache -e
*/1 * * * * perl /tmp/.tmp/tmpfile
and deleted the cronjob entry. Also deleted the file /tmp/.tmp/tmpfile
also added "apache" to the file /etc/cron.deny
Now the system seems ok.
Anybody faced similar problems? Pl. suggest the countermeasures for such attacks.
Thanks
Hari