Results 1 to 10 of 10
  1. #1
    Join Date
    Mar 2004
    Location
    London, UK
    Posts
    285

    Warning messages from the nobody check script

    Hi all,
    I am getting the following warning messages from the nobody check script by Webhostgear ( http://www.webhostgear.com/353.html )

    Warning: Malicious Nobody Process Found
    =========================================
    Options: kill bad proc=1 logging lvl=1

    SCAN SUMMARY
    ========================================

    Clean Processes: 12
    DETECTED Malicious Processes: 1

    DETECTION DETAILS
    ========================================

    DETECTION: Process 7752 with name perl and path /usr/bin/perl

    Process ID: 7752 has been killed
    Restuls for PID: 7752
    total 0
    dr-xr-xr-x 3 nobody nobody 0 Apr 21 12:35 .
    dr-xr-xr-x 1856 root root 0 Apr 2 16:12 ..
    -r-------- 1 nobody nobody 0 Apr 21 13:00 auxv
    -r--r--r-- 1 nobody nobody 0 Apr 21 12:35 cmdline
    lrwxrwxrwx 1 nobody nobody 0 Apr 21 13:00 cwd -> /
    -r-------- 1 nobody nobody 0 Apr 21 13:00 environ
    lrwxrwxrwx 1 nobody nobody 0 Apr 21 12:35 exe -> /usr/bin/perl
    dr-x------ 2 nobody nobody 0 Apr 21 12:36 fd
    -r--r--r-- 1 nobody nobody 0 Apr 21 13:00 maps
    -rw------- 1 nobody nobody 0 Apr 21 13:00 mem
    -r--r--r-- 1 nobody nobody 0 Apr 21 13:00 mounts
    -r-------- 1 nobody nobody 0 Apr 21 13:00 mountstats
    lrwxrwxrwx 1 nobody nobody 0 Apr 21 13:00 root -> /
    -r-------- 1 nobody nobody 0 Apr 21 13:00 smaps
    -r--r--r-- 1 nobody nobody 0 Apr 21 12:35 stat
    -r--r--r-- 1 nobody nobody 0 Apr 21 12:35 statm
    -r--r--r-- 1 nobody nobody 0 Apr 21 12:35 status
    dr-xr-xr-x 3 nobody nobody 0 Apr 21 13:00 task
    -r--r--r-- 1 nobody nobody 0 Apr 21 13:00 wchan

    Netstat:

    Environ:

    Server Admin action is required immediately.
    Any ideas or pointers for me as to what may be causing this?
    Many thanks,

    - Vince

  2. #2
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    Well, that means pretty much what it says. The user 'nobody' was running a perl script.

    Is this in and of itself problematic? No.
    Is this something that needs to be investigated? Yes.
    Have your server admin go through and look through the logs, look through the server for rootkits.

  3. #3
    Join Date
    Mar 2004
    Location
    London, UK
    Posts
    285
    Hi,
    Here is the response from the server admin, although I am suprised that any files in /tmp could be run?

    I found following suspicious files uploaded to /tmp.

    -bash-3.00# pwd
    /tmp
    -bash-3.00# ls -a
    . .ICE-unix 232-fast.inc3pIJ9L 232-fast.incjHUqkF bot.txt cmdtemp dp mysql.sock sess_ab6a04249d3bfe5063ab86a824f65886
    .. .tmp 232-fast.incfSK0XS bdpl clamd.log cpbandwidth gabi.zip pear session
    -bash-3.00# cd .tmp
    -bash-3.00# ls -a
    . .. LinkEvents autorun bash inst inst.txt m.help r run start xh

    I have removed these files now.
    Shame there isn't a cPanel script to warn of these things.
    Any further clarifications would be very appreciated.
    Many thanks,

    - Vince

  4. #4
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,750
    You can check our CSF. It sends out mail when some user perform dangerous process.

    http://configserver.com/cp/csf.html

    Some of its features.

    Code:
    # Suspicious process reporting - reports potential exploits running on the server
    # Excessive user processes reporting
    # Excessive user process usage reporting and optional termination
    # Suspicious file reporting - reports potential exploit files in /tmp and similar directories
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

  5. #5
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    You've got (at minimum) a bot on your server, in the /tmp directory, probably more than that.

    Unfortunately, it's entirely possible to run anything out of /tmp . Even 'securing' it doesn't work because you can always call the file through the handler (ie: perl , bash, etc). In this case , perl was called and used.

    Basically, you need to keep on top of this information. You're starting to do so, but you need to be able to handle these alerts instantly, not 24 hours after they came up. 24 hours is way too long to let a bot live and breathe.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  6. #6
    Join Date
    Mar 2004
    Location
    London, UK
    Posts
    285
    Thanks for reply, much appreciated.
    So as there is no way to stop files executing in /tmp what about not having a /tmp directory at all or renaming it?

    I used to have a crop running every 15 minutes, and it deletes all of the files in /tmp, excluding PHP session files:
    */15 * * * * rm -f $(find /tmp -type f | grep -v sess_) > /dev/null 2<&1
    Would this help?

    FYI, I use eAccelerator in a custom directory name.

    Must say I am suprised the great Linux World does not have a solution to this.

    Thanks for all your assistance,

    - Vince

  7. #7
    Join Date
    Mar 2004
    Location
    London, UK
    Posts
    285
    By the way, is the following a good method for securing /tmp or is it outdated now:

    http://www.eth0.us/tmp

    Thanks,

    - Vince

  8. #8
    Join Date
    Jul 2003
    Location
    Goleta, CA
    Posts
    5,550
    It's the standard method but as mentioned it's easy to work around /tmp protection.
    Patron: I'd like my free lunch please.
    Cafe Manager: Free lunch? Did you read the fine print stating it was an April Fool's joke.
    Patron: I read the same way I listen, I ignore the parts I don't agree with. I'm suing you for false advertising.
    Cafe Owner: Is our lawyer still working pro bono?

  9. #9
    Typically during an install, I'll break /tmp out into a dedicated partition and mount it with nosuid and noexec attributes. This stops most script kiddies in their tracks.
    ServiceFlex - High Performance Web Solutions

  10. #10
    Join Date
    Mar 2004
    Location
    London, UK
    Posts
    285
    Thanks for reply.
    Anyone have a comment if still usefull to have this cron run anyway?

    */15 * * * * rm -f $(find /tmp -type f | grep -v sess_) > /dev/null 2<&1
    Regards,

    - Vince

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •