Results 1 to 39 of 39
  1. #1

    help, how can i pinpoint who's using up resources with perl

    hey guys


    ok got a load of 2.0 at the moment, my sites are running fine but i have about 7 friends sites on the server who i host for free.

    this is reading from top
    13562 nobody 25 0 3044 2984 1464 R 70.4 0.2 502:21 0 perl

    as you can see it's using %70 cpu, it jumps from 70 to 90


    how can i find who on earth is using it? or maybe it's not somebody, i don't know.

    any help appreciated

  2. #2
    Join Date
    Sep 2002
    Location
    Chicago, Illinois
    Posts
    882
    ps -aux will show the full process list. If you are using cpanel, inside whm there is a link to show apache/cpu/mysql useage which will also show some detailed info
    Neosurge Web Services since 2002
    Neosurge VPS Hosting

  3. #3
    check some executables in your /tmp, /var/tmp ..

  4. #4
    thanks

    yeah i looked at whm and it only gave me
    nobody 90.18 0.37 0.0
    the 0.0 being no msql usage at all

    90.18 being cpu usage

    ps -aux gave me

    nobody 13562 88.1 0.2 6464 2988 ? R Jun09 535:30 /usr/sbin/httpd

    check some executables in your /tmp, /var/tmp ..
    how would i do that? i'm learning how to handle my server still i can navigate to them but what woudl i do once there? thankyou

  5. #5
    in tmp/ i get things like

    aff.txt nobody-session-0.334416472659544 sess_72d99f8ab172685cc5fa513da7b597ca

  6. #6
    Join Date
    Sep 2002
    Location
    Chicago, Illinois
    Posts
    882
    It could just be a hung process, you can use kill -9 <PID> to remove that process.

    replace <PID> with the actual process ID.
    Neosurge Web Services since 2002
    Neosurge VPS Hosting

  7. #7
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    13562 nobody 25 0 3044 2984 1464 R 70.4 0.2 502:21 0 perl

    PID = 13562

    ls -al /proc/13562
    cat /proc/13562/cmdline

    -Scott
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  8. #8
    i killed the process and it doesn't seem to have com e back, load is hovering at 1.1 now which is better than 2, i imagine it will go down.

    Scott, what would that have done?


    would this hung process have been someone's script? or a script installed on the server that uses perl? thanks

  9. #9
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    It will show you where the script was ran from. That way you will see what it was running.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  10. #10
    ahhh, i'll have to write that down thankyou, will it still show me after the process has been killed? suppose i can give it a go to find out hey, cheers

  11. #11
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    No, it wont show after proccess has been killed.

    You should learn about the /proc/ , its great to trace where things where started and so on.

    ls -al /proc/pid will show you all the things it has.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  12. #12
    Also, lsof can be your friend when needed (`lsof | grep perl` would show you what files are in use by perl). But what HostGeekZ said will work for sure.

  13. #13
    thanks guys

    i will definetly look into proc, just gotta find where, never had much like with tutorials for server management / command line tutorials etc. Your site looks very informative though scott

    for grep / lsof would i type

    # grep perl

    and

    # lsof perl
    i always seem to learn by example easier

    thanks again guys, load is back down to .25 - .30 where it should be

  14. #14
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Its not very informative yet, I have not spent much time on it.

    Waiting for the layout to be "spiced-up", should be done in a few days. Then i'll start working on it It has great potential already, i just need work at it.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  15. #15
    type:

    lsof | grep perl
    Dan - Vice President - [email protected]
    BurstNET Technologies - http://www.burst.net

  16. #16
    Since nobody bothered to mention it, I will. Check your phpBB installs on that server. The perl process owned by nobody is a classic symptom of an exploited phpBB install. Check /tmp and /var/tmp for things like a.pl, blow.pl, etc., and any directories that don't belong, and get rid of them. Then get whoever is running phpBB to get themselves to the latest version.

  17. #17
    thanks reasonsinger, i have banned my friends using phpbb but will check

  18. #18
    hey guys

    i have had this perl probelm again this morning, using proc i got this

    dr-xr-xr-x 3 nobody nobody 0 Jun 19 08:38 ./
    dr-xr-xr-x 156 root root 0 May 20 07:14 ../
    -r--r--r-- 1 nobody nobody 0 Jun 19 08:38 cmdline
    lrwxrwxrwx 1 nobody nobody 0 Jun 19 08:38 cwd -> /tmp/
    -r-------- 1 nobody nobody 0 Jun 19 08:38 environ
    lrwxrwxrwx 1 nobody nobody 0 Jun 19 08:38 exe -> /usr/bin/perl*
    dr-x------ 2 nobody nobody 0 Jun 19 08:38 fd/
    -r-------- 1 nobody nobody 0 Jun 19 08:38 maps
    -rw------- 1 nobody nobody 0 Jun 19 08:38 mem
    -r--r--r-- 1 nobody nobody 0 Jun 19 08:38 mounts
    lrwxrwxrwx 1 nobody nobody 0 Jun 19 08:38 root -> //
    -r--r--r-- 1 nobody nobody 0 Jun 19 08:38 stat
    -r--r--r-- 1 nobody nobody 0 Jun 19 08:38 statm
    -r--r--r-- 1 nobody nobody 0 Jun 19 08:38 status

  19. #19
    and grep perl gives me


    spamd 423 root txt REG 3,3 939151 1131671 /usr/bin/pe rl
    spamd 423 root mem REG 3,3 7026 606289 /usr/lib/pe rl5/5.8.4/i686-linux/auto/Sys/Hostname/Hostname.so
    spamd 423 root mem REG 3,3 8332 721027 /usr/lib/pe rl5/site_perl/5.8.4/i686-linux/auto/Net/DNS/DNS.so
    spamd 423 root mem REG 3,3 17942 1999015 /usr/lib/pe rl5/site_perl/5.8.4/i686-linux/auto/Digest/SHA1/SHA1.so
    spamd 423 root mem REG 3,3 12555 688227 /usr/lib/pe rl5/5.8.4/i686-linux/auto/MIME/Base64/Base64.so
    spamd 423 root mem REG 3,3 9941 3194961 /usr/lib/pe rl5/5.8.4/i686-linux/auto/Cwd/Cwd.so
    spamd 423 root mem REG 3,3 13687 2326649 /usr/lib/pe rl5/5.8.4/i686-linux/auto/Sys/Syslog/Syslog.so
    spamd 423 root mem REG 3,3 17013 2802109 /usr/lib/pe rl5/5.8.4/i686-linux/auto/Time/HiRes/HiRes.so
    spamd 423 root mem REG 3,3 16268 32911 /usr/lib/pe rl5/5.8.4/i686-linux/auto/Fcntl/Fcntl.so
    spamd 423 root mem REG 3,3 17495 5931095 /usr/lib/pe rl5/5.8.4/i686-linux/auto/IO/IO.so
    spamd 423 root mem REG 3,3 24411 7913543 /usr/lib/pe rl5/5.8.4/i686-linux/auto/Socket/Socket.so
    spamd 423 root mem REG 3,3 43536 3489924 /usr/lib/pe rl5/5.8.4/i686-linux/auto/DB_File/DB_File.so
    spamd 423 root mem REG 3,3 20932 9863306 /usr/lib/pe rl5/5.8.4/i686-linux/auto/List/Util/Util.so
    spamd 423 root mem REG 3,3 67458 8585287 /usr/lib/pe rl5/5.8.4/i686-linux/auto/Storable/Storable.so
    spamd 423 root mem REG 3,3 41544 8142963 /usr/lib/pe rl5/site_perl/5.8.4/i686-linux/auto/HTML/Parser/Parser.so
    spamd 423 root mem REG 3,3 102873 2212134 /usr/lib/pe rl5/5.8.4/i686-linux/auto/POSIX/POSIX.so
    chkservd 1033 root txt REG 3,3 939151 1131671 /usr/bin/perl
    chkservd 1033 root mem REG 3,3 24411 7913543 /usr/lib/perl5/5.8.4/i686-linux/auto/Socket/S ocket.so
    chkservd 1033 root mem REG 3,3 7026 606289 /usr/lib/perl5/5.8.4/i686-linux/auto/Sys/Host name/Hostname.so
    chkservd 1033 root mem REG 3,3 102873 2212134 /usr/lib/perl5/5.8.4/i686-linux/auto/POSIX/PO SIX.so
    spamd 1568 root txt REG 3,3 939151 1131671 /usr/bin/perl
    spamd 1568 root mem REG 3,3 7026 606289 /usr/lib/perl5/5.8.4/i686-linux/auto/Sys/Hostname/Hostname.so
    spamd 1568 root mem REG 3,3 8332 721027 /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Net/DNS/DNS.so
    spamd 1568 root mem REG 3,3 17942 1999015 /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Digest/SHA1/SHA1.so
    spamd 1568 root mem REG 3,3 12555 688227 /usr/lib/perl5/5.8.4/i686-linux/auto/MIME/Base64/Base64.so
    spamd 1568 root mem REG 3,3 9941 3194961 /usr/lib/perl5/5.8.4/i686-linux/auto/Cwd/Cwd.so
    spamd 1568 root mem REG 3,3 13687 2326649 /usr/lib/perl5/5.8.4/i686-linux/auto/Sys/Syslog/Syslog.so
    spamd 1568 root mem REG 3,3 17013 2802109 /usr/lib/perl5/5.8.4/i686-linux/auto/Time/HiRes/HiRes.so
    spamd 1568 root mem REG 3,3 16268 32911 /usr/lib/perl5/5.8.4/i686-linux/auto/Fcntl/Fcntl.so
    spamd 1568 root mem REG 3,3 17495 5931095 /usr/lib/perl5/5.8.4/i686-linux/auto/IO/IO.so
    spamd 1568 root mem REG 3,3 24411 7913543 /usr/lib/perl5/5.8.4/i686-linux/auto/Socket/Socket.so
    spamd 1568 root mem REG 3,3 43536 3489924 /usr/lib/perl5/5.8.4/i686-linux/auto/DB_File/DB_File.so
    spamd 1568 root mem REG 3,3 20932 9863306 /usr/lib/perl5/5.8.4/i686-linux/auto/List/Util/Util.so
    spamd 1568 root mem REG 3,3 67458 8585287 /usr/lib/perl5/5.8.4/i686-linux/auto/Storable/Storable.so
    spamd 1568 root mem REG 3,3 41544 8142963 /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/HTML/Parser/Parser.so
    spamd 1568 root mem REG 3,3 102873 2212134 /usr/lib/perl5/5.8.4/i686-linux/auto/POSIX/POSIX.so
    spamd 2642 root txt REG 3,3 939151 1131671 /usr/bin/perl
    spamd 2642 root mem REG 3,3 7026 606289 /usr/lib/perl5/5.8.4/i686-linux/auto/Sys/Hostname/Hostname.so
    spamd 2642 root mem REG 3,3 8332 721027 /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Net/DNS/DNS.so
    spamd 2642 root mem REG 3,3 17942 1999015 /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Digest/SHA1/SHA1.so
    spamd 2642 root mem REG 3,3 12555 688227 /usr/lib/perl5/5.8.4/i686-linux/auto/MIME/Base64/Base64.so
    spamd 2642 root mem REG 3,3 9941 3194961 /usr/lib/perl5/5.8.4/i686-linux/auto/Cwd/Cwd.so
    spamd 2642 root mem REG 3,3 13687 2326649 /usr/lib/perl5/5.8.4/i686-linux/auto/Sys/Syslog/Syslog.so
    spamd 2642 root mem REG 3,3 17013 2802109 /usr/lib/perl5/5.8.4/i686-linux/auto/Time/HiRes/HiRes.so
    spamd 2642 root mem REG 3,3 16268 32911 /usr/lib/perl5/5.8.4/i686-linux/auto/Fcntl/Fcntl.so
    spamd 2642 root mem REG 3,3 17495 5931095 /usr/lib/perl5/5.8.4/i686-linux/auto/IO/IO.so
    spamd 2642 root mem REG 3,3 24411 7913543 /usr/lib/perl5/5.8.4/i686-linux/auto/Socket/Socket.so
    spamd 2642 root mem REG 3,3 43536 3489924 /usr/lib/perl5/5.8.4/i686-linux/auto/DB_File/DB_File.so
    spamd 2642 root mem REG 3,3 20932 9863306 /usr/lib/perl5/5.8.4/i686-linux/auto/List/Util/Util.so
    spamd 2642 root mem REG 3,3 67458 8585287 /usr/lib/perl5/5.8.4/i686-linux/auto/Storable/Storable.so
    spamd 2642 root mem REG 3,3 41544 8142963 /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/HTML/Parser/Parser.so
    spamd 2642 root mem REG 3,3 102873 2212134 /usr/lib/perl5/5.8.4/i686-linux/auto/POSIX/POSIX.so
    spamd 3583 root txt REG 3,3 939151 1131671 /usr/bin/perl
    spamd 3583 root mem REG 3,3 7026 606289 /usr/lib/perl5/5.8.4/i686-linux/auto/Sys/Hostname/Hostname.so
    spamd 3583 root mem REG 3,3 8332 721027 /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Net/DNS/DNS.so
    spamd 3583 root mem REG 3,3 17942 1999015 /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Digest/SHA1/SHA1.so
    spamd 3583 root mem REG 3,3 12555 688227 /usr/lib/perl5/5.8.4/i686-linux/auto/MIME/Base64/Base64.so
    spamd 3583 root mem REG 3,3 9941 3194961 /usr/lib/perl5/5.8.4/i686-linux/auto/Cwd/Cwd.so
    spamd 3583 root mem REG 3,3 13687 2326649 /usr/lib/perl5/5.8.4/i686-linux/auto/Sys/Syslog/Syslog.so
    spamd 3583 root mem REG 3,3 17013 2802109 /usr/lib/perl5/5.8.4/i686-linux/auto/Time/HiRes/HiRes.so
    spamd 3583 root mem REG 3,3 16268 32911 /usr/lib/perl5/5.8.4/i686-linux/auto/Fcntl/Fcntl.so
    spamd 3583 root mem REG 3,3 17495 5931095 /usr/lib/perl5/5.8.4/i686-linux/auto/IO/IO.so
    spamd 3583 root mem REG 3,3 24411 7913543 /usr/lib/perl5/5.8.4/i686-linux/auto/Socket/Socket.so
    spamd 3583 root mem REG 3,3 43536 3489924 /usr/lib/perl5/5.8.4/i686-linux/auto/DB_File/DB_File.so
    spamd 3583 root mem REG 3,3 20932 9863306 /usr/lib/perl5/5.8.4/i686-linux/auto/List/Util/Util.so
    spamd 3583 root mem REG 3,3 67458 8585287 /usr/lib/perl5/5.8.4/i686-linux/auto/Storable/Storable.so
    spamd 3583 root mem REG 3,3 41544 8142963 /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/HTML/Parser/Parser.so
    spamd 3583 root mem REG 3,3 102873 2212134 /usr/lib/perl5/5.8.4/i686-linux/auto/POSIX/POSIX.so

  20. #20
    Join Date
    May 2004
    Location
    Lansing, MI, USA
    Posts
    1,548
    Someone has a worm/expoit running Do this...

    cat /proc/<pid>/ipaddr

    then go to /usr/local/apache/domlogs (or wherever your domain apache logs are) and..

    grep <ip address> *

    That should tell you who got what exploited.
    Jacob - WebOnce Technologies - 30 Day 100% Satisfaction Guarantee - Over 5 Years Going Strong!
    Website Hosting, PHP4&5, RoR, MySQL 5.0, Reseller Hosting, Development, and Designs
    Powered By JAM - Professional Website Development - PHP, MySQL, JavaScript, AJAX - Projects Small & Large

  21. #21
    Join Date
    Jun 2002
    Location
    Lima
    Posts
    1,321
    I would like to know how many people is currently downloading
    a particular file.

    I know I can use ps -aux for knowing the processes running,
    and that it will show apache processes ... but this command cuts the result lines
    Therefore I only see something like /usr/sbin/http
    any ideas?

  22. #22
    Originally posted by WebOnce
    Someone has a worm/expoit running Do this...

    cat /proc/<pid>/ipaddr

    then go to /usr/local/apache/domlogs (or wherever your domain apache logs are) and..

    grep <ip address> *

    That should tell you who got what exploited.
    sorry i didn't get back to you, i had killed the process so therefore wouldn't have been able to do that would i?

    is there any way of tracking this down without the perl process running? it's only happened twice so don't know if it will again or when

    thanks

  23. #23
    Join Date
    May 2004
    Location
    Lansing, MI, USA
    Posts
    1,548
    grep wget /usr/local/apache/domlogs/*

    That will show you some of the sites that people are trying to exploit... then you could try to match up the time stamps.... Not as easy after the fact though.

    Also, if you have a lot of sites, that line won't work, as you will have too many files... and it does grep a lot of useless files. It gets a bit more complicated to do it properly.
    Jacob - WebOnce Technologies - 30 Day 100% Satisfaction Guarantee - Over 5 Years Going Strong!
    Website Hosting, PHP4&5, RoR, MySQL 5.0, Reseller Hosting, Development, and Designs
    Powered By JAM - Professional Website Development - PHP, MySQL, JavaScript, AJAX - Projects Small & Large

  24. #24
    Join Date
    May 2005
    Location
    Bohemia, NY
    Posts
    61
    Why on earth do you have perl scripts running as nobody? suexec that mother.

  25. #25
    Join Date
    Feb 2004
    Location
    Your Screen
    Posts
    3,998
    suexec will not change a thing. We went round-robin on this sort of thing for weeks and it was maddening. We tried all the tricks (ps aux, lsof, grepping logs, etc.) and simply could not nail the source down, whether it was an exploited phpbb or if it was some other exploitable script.

    We also verified the server config:
    - suexec enabled
    - tmp mounted noexec

    And still a.pl, ret.pl, udp.pl etc. would appear in /tmp night after night.

    What finally stopped it was the installation of two things:

    One, APF/BFD, which stopped the outbound traffic from the phpBB worm as well as the UDP DDoS script that would occasionally be installed (udp.pl).

    Two, mod_security, which you can install in WHM under cPanel > Addon Modules. Install the basic ruleset. Then manually add these:

    Code:
    ############################################################
    ############################################################
    
    # Rule ID: 32
    # Safety: Normal
    #
    #
    # phpBB exploit prevention the REAL fix
    
    # PHPBB exploit attack
    SecFilterSelective THE_REQUEST "viewtopic.php" chain
    SecFilterSelective "THE_REQUEST" "(system|exec|passthru|cmd|fopen|exit|fwrite)"
    
    ############################################################
    ############################################################
    
    # Rule ID: 34
    # Safety: Normal
    #
    #
    # phpBB: General protection
    
    #phpbb XSS
    SecFilterSelective REQUEST_URI "/posting\.php\?mode=reply\&t=.*userid.*phpbb2mysql_t=(<[[:space:]]*script|(http|https|ftp)\:/)"
    
    #phpbb XSS
    SecFilterSelective REQUEST_URI "/posting\.php\\?.*(<[[:space:]]*script|(http|https|ftp)\:/)"
    
    #More PHPBB worms
    SecFilter "^/viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)"
    
    #another variation of the PHPBB worm sigs
    SecFilterSelective THE_REQUEST "viewtopic\.php" chain
    SecFilterSelective "THE_REQUEST|ARG_VALUES" "(passthru|cmd|fopen|exit|fwrite)"
    
    #phpbb Session Cookie
    SecFilterSelective COOKIE_sessionid  "phpbb2mysql_data=a\x3A2\x3A\x7Bs\x3A11\x3A\x22autologinid\x22\x3Bb\x3A1\x3Bs\x3A6\x3A\x22userid\x22\x3Bs\x3A1\x3A\x222\x22\x3B\x7D"
    SecFilter "phpbb2mysql_data=a\x3A2\x3A\x7Bs\x3A11\x3A\x22autologinid\x22\x3Bb\x3A1\x3Bs\x3A6\x3A\x22userid\x22\x3Bs\x3A1\x3A\x222\x22\x3B\x7D"
    
    ############################################################
    ############################################################
    
    # Rule ID: 11
    # Safety: Safe
    #
    #
    # phpBB: highlight vulnerability
    # 
    # phpBB viewtopic.php fails to properly sanitize input passed to the "highlight" parameter
    # 
    # References:
    # 
    # http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
    # http://www.kb.cert.org/vuls/id/497400
    # http://secunia.com/advisories/13239/
    
    SecFilterSelective SCRIPT_FILENAME "viewtopic\.php$" chain
    SecFilterSelective ARG_highlight "%27"
    
    # Exploit phpBB Highlighting SQL Injection
    SecFilter "&highlight=\'\.mysql_query\(" 
    
    # Exploit phpBB Highlighting Code Execution - Santy.A Worm
    SecFilter "&highlight=\'\.fwrite\(fopen\(" 
    
    # Exploit phpBB Highlight Exploit Attempt
    SecFilter "&highlight=\x2527\x252Esystem\("
    
    ############################################################
    ############################################################
    mod_security is what stopped this junk in its tracks. It's a very handy tool... read up on it so you understand what it is doing.

    Good luck ~~~

    Bailey
    Let's Connect on Twitter! @thatsmsgeek2u || Fighting mediocrity one thread at a time.

  26. #26
    thanks bailey, i'll be reading up on that tonight and installing it

  27. #27
    by the way how would i check " tmp mounted noexec" ?

    suexec is already enabled

  28. #28
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    aqi32, if you want to find which account is using Perl scripts then run this command:

    tail -f /usr/local/apache/logs/suexec_log

    Use CTRL-C to quit.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  29. #29
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    bithost, thanks for the sharing the mod_security code.

    Although we don't have a problem with phpBB invulnerabilities -- due to
    our current Security settings -- always good to know other ways to
    improve upon Sever Security.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  30. #30
    thanks rob

    running that line only gave me results for yesterday, would only yesterday be logged? this last perl incident on my server happened roughly 8 days ago.

    i don't allow my friends to have phpbb so am pretty sure that's not at fault.

  31. #31
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    Whenever "tail -f" is used you are watching results in real time.

    Even if no Perl scripts have been run since yesterday, you now know "which" account is using "what" Perl script.
    When your Server load goes high again, run the tail command. You can then pinpoint if one of those Perl scripts is the culprit.
    Also use the previously posted information to poinpoint the PID and problems with high resouce usage,
    should soon be solved.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  32. #32
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Originally posted by aqi32
    by the way how would i check " tmp mounted noexec" ?

    suexec is already enabled
    Type mount to see the status of current drives.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  33. #33
    i see what you're getting at now Rob, thankyou gotta wait until it happens again

    mount gave me

    /dev/hda3 on / type ext3 (rw,usrquota)
    none on /proc type proc (rw)
    none on /dev/pts type devpts (rw,gid=5,mode=620)
    /dev/hda1 on /boot type ext3 (rw)
    none on /dev/shm type tmpfs (rw)
    /usr/tmpDSK on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)
    /tmp on /var/tmp type none (rw,noexec,nosuid,bind)

    i assume /tmp on /var/tmp type none (rw,noexec,nosuid,bind) means that noexec is enabled?

    thanks again

  34. #34
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    yes it is mounted with noexec.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  35. #35
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    That is correct.

    You will probably run into problems though, with scripts used by Clients, as many of them need to read/write to the 'tmp' directory. After all, that's what the 'tmp' directory is for.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  36. #36
    hehe, i don't have any clients, only me, my mum and a couple of friends on the server i'm a designer, not a host


    thanks for all the help guys, a very informative thread

  37. #37
    Join Date
    Feb 2004
    Location
    Your Screen
    Posts
    3,998
    Originally posted by Website Rob
    That is correct.

    You will probably run into problems though, with scripts used by Clients, as many of them need to read/write to the 'tmp' directory. After all, that's what the 'tmp' directory is for.
    Actually, no he should not have problems... /tmp is mounted rw,noexec, so that scripts can read & write but cannot execute. Although this does not stop everything, which is why this junk is able to run from /tmp.

    aqi, for what it's worth, we tried tailing the Apache logs and were still not able to identify the hole letting people in. You already know where the script is running from, right? In /tmp. So that's just going to tell you that the script was running as nobody, in /tmp. Old news. The question is how it's getting there. It has to be a script which has an exec command or a known security exploit. I would have no idea what that could be -- you should have a much better idea what your friends are running.

    Putting in a basic/safe ruleset for mod_security will stop the most common exploits. There are rules written to plug up common exploits/issues with phpnuke, etc., as well as which limit the calling of basic commands. However these rules do not limit the functioning of legitimate website operations. They just stop the stuff that is commonly misused.

    Let us know how it goes!

    Bailey
    Let's Connect on Twitter! @thatsmsgeek2u || Fighting mediocrity one thread at a time.

  38. #38
    i've had a problem with this mod_security, well not me, my brother also installed it yesterday on his server on which he runs a counter service.

    For some reason this caused all visitors logs to show his ip, and alot less visitors!!! he has uninstalled mod_security via cpanel but the problem still persists. the only change he made was installing mod_security.

    Would installing it have changed any server settings or something, is there something left behind after uninstalling it through cpanel that is causing the problem?

  39. #39
    it seems to be saying this is the agent

    (NetCache NetApp/5.5R6)

    is that anything to do with mod_security?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •