hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Trojan activity - running perl with high CPU usage, with user apache
Reply

Forum Jump

Trojan activity - running perl with high CPU usage, with user apache

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 09-05-2007, 02:07 AM
hari_kalathil hari_kalathil is offline
New Member
 
Join Date: Sep 2007
Location: Calicut, Kerala, India
Posts: 1

Trojan activity - running perl with high CPU usage, with user apache


Problem :
Running programs named Perl with Heavy CPU usage, with the ownership of user apache.
We found the problem on Fedora 3 and Fedora 6.

In our case, it was the result of a Trojan activity.

Quick Solution

Check the cron jobs of user apache
crontab -u apache -e
*/1 * * * * perl /tmp/.tmp/tmpfile

delete the cronjob entry.
Also delete the file /tmp/.tmp/tmpfile
also added "apache" to the file /etc/cron.deny

That's all

Problem and solution in detail.

Symptoms
***Running the system at very slow speed.
Issued the top command, and found the program named perl is running with the ownership of user apache, and consumes near to 100% CPU. Sometimes, it shows multiple instances of the same program running.

The system acted as a mail bombing source. The sender is apache@ourdomain
The mailq gets clogged very soon. ( postqueue -p )

Tried to catch the executeable of the same
issued the ps -o cmd <pid>
and found the program /usr/bin/web/httpd has been invoked.
But there was no such program on the system

And ensured that it is a hack/exploit.

Tried other commands like
pstree -nap
pidof httpd |wc -w

------instead of giving 9 httpd processes, it shown more than 10.

Then killed the process with
service httpd stop
service httpd stop

( it required to run twice, as the first one stops the genuine httpd service and the second one the hacker's)
Then killed all the programs owned by apeche.
pkill -KILL -u apache

How we got the evidences ?

Updated the clam antivirus, and the postmaster got a virus alert mail from the content filter (Amavis-New). The detectd virus was "Trojan.Perl.Shellbot-2"

Searched for the virus in google, and in McAfee site, there was a description on the attack. And mentioned about the /tmp/.tmp directory, where the Trojan was planted.
We searched for it and found such a directory, and an executeble named tmpfile in it.

We deleted it and, after some time, the postmaster got mail on failed cronjob. In that mail, we got the cronjob enty as "perl /tmp/.tmp/tmpfile" and the user is apache.

Checked the cron jobs of user apache
crontab -u apache -e
*/1 * * * * perl /tmp/.tmp/tmpfile

and deleted the cronjob entry. Also deleted the file /tmp/.tmp/tmpfile
also added "apache" to the file /etc/cron.deny

Now the system seems ok.

Anybody faced similar problems? Pl. suggest the countermeasures for such attacks.


Thanks
Hari



Sponsored Links
  #2  
Old 09-05-2007, 03:13 AM
logbear logbear is offline
Newbie
 
Join Date: Aug 2007
Posts: 20
We had a similar case about 2 and a half years ago. The script maxed out the CPU and increased bandwidth usage to the point of being of suspended by the data center operators.

It was caused by the apache/php CONNECT bug, and a script kiddy. We updated Apache and disallowed the CONNECT method in httpd.conf and the problem was solved for good.

That bug appears when there is a index.php on the root of a site on certain apache versions (I don't remember exactly, but it was on the 1.3 branch)

Regards,

Leo


Last edited by logbear; 09-05-2007 at 03:17 AM. Reason: Gramatical correction
Reply

Related posts from TheWhir.com
Title Type Date Posted
Apache Malware Darkleech Spreads Rapidly with Increase in Attacks Web Hosting News 2013-07-03 12:11:03
Apache Market Share Dips Slightly in June Netcraft Web Server Survey Web Hosting News 2013-06-06 13:40:21
Researchers Urge System Admins to Check for New Apache Web Server Backdoor Malware Web Hosting News 2013-05-01 11:35:53
Microsoft Sees Largest Gain in Host Names in December 2012 Netcraft Web Server Survey Web Hosting News 2012-12-05 13:38:09
Netcraft Continues to See a Drop in Responses for July 2012 Web Survey Web Hosting News 2012-07-03 14:35:26


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?