Rouge Perl Script Help

Portal Home > Knowledgebase > Articles Database > Rouge Perl Script Help

Posted by xftp, 04-20-2009, 06:00 AM
I've got a rouge perl script running on one of my servers and need help in tracking it down. TOP 1877 apache 25 0 4856 3060 1252 R 49.9 0.3 13:51.98 perl as soon as ps is killed it restarts /tmp -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.1 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.10 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.11 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.12 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.13 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.14 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.15 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.16 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.17 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.18 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.2 -rw-r--r-- 1 apache apache 48444 Apr 15 01:11 blue.3 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.4 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.5 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.6 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.7 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.8 -rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.9 and over the past couple of days there's been a number of these -rw------- 1 apache apache 99 Apr 20 02:22 sess_00f39873b47be556f0c047e96b726640 -rw------- 1 apache apache 68 Apr 20 08:20 sess_01d2ba3e471475384ea3c1d2ff1cde7f -rw------- 1 apache apache 0 Apr 20 06:04 sess_01ea1b9ebe41331239ded82506f66090 -rw------- 1 apache apache 0 Apr 19 23:04 sess_0a83f93845da3fabce31d897f13735b0 -rw------- 1 apache apache 68 Apr 20 01:50 sess_0c83beb8ba2ce1f42833874b0d8a7470 -rw------- 1 apache apache 68 Apr 20 08:25 sess_0d5989b161d7d6434692de42faa248ab -rw------- 1 apache apache 0 Apr 19 18:15 sess_10f858c3904a12a1e4c9e7da70e0fbb8 -rw------- 1 apache apache 26 Apr 20 09:39 sess_11a8b8d85883c8f2da146bb8f97bd25e -rw------- 1 apache apache 68 Apr 19 14:22 sess_11f018952ec1cae08e6d8a95a0c99287 -rw------- 1 apache apache 26 Apr 19 21:18 sess_1706bf1b9e5d4b09e29cfbc3517d6755 -rw------- 1 apache apache 26 Apr 20 02:22 sess_1c48c7232dbc7087c312d43debb942a7 -rw------- 1 apache apache 0 Apr 20 06:46 sess_1cdf7ecf082c27f389b759adef50f932 -rw------- 1 apache apache 0 Apr 20 08:04 sess_1d6d06ea737c1eff71152a590cd420a4 -rw------- 1 apache apache 26 Apr 20 09:42 sess_26b16f5a5b59639af28f6bc49dba1ed5ly Any help would be greatly appriciated
Posted by bear, 04-20-2009, 07:09 AM
ps aux |grep perl Take the PID of the process and: lsof -p |less This should show some useful info. ps -efH | less Might show something useful. ps aux --forest Shows all procs with a tree of parent/child relationships.
Posted by xftp, 04-20-2009, 09:09 AM
ps aux |grep perl doesn't return anything Using PID 1877 in TOP lsof -p 1877 |less this looks sus perl 1877 apache 4u IPv4 845420891 TCP hostname:55583->rom068.server4you.de:webcache (ESTABLISHED) ps aux --forest below seems strange apache 1775 86.3 0.3 4852 3064 ? S Apr15 6540:51 httpdse apache 1788 0.0 0.3 4856 3044 ? S Apr15 3:27 httpdse apache 1877 1.3 0.3 4856 3060 ? R Apr15 98:54 httpdse apache 3078 0.0 0.3 4856 3044 ? S Apr15 4:12 httpdse apache 3090 0.0 0.3 4856 3044 ? S Apr15 2:26 httpdse apache 3096 0.1 0.3 4856 3040 ? S Apr15 12:34 httpdse apache 3108 0.0 0.3 4852 3040 ? S Apr15 3:11 httpdse
Posted by ServerManagement, 04-20-2009, 09:53 AM
You should install suexec/phpsuexec to be able to easily track the owner of those processes.
Posted by hiabhilash, 04-20-2009, 11:52 AM
Running since April 15th ? does cat /proc/1877/environ has anything useful ?
Posted by xftp, 04-20-2009, 01:20 PM
After firewalling rom068.server4you.de I managed to kill PID 1877 and the CPU has dropped back down to normaland it hasn't restarted. Apparently httpdse has to do with joomla? http://www.h-online.com/security/Joo...r--/news/75459 However there are no installs on joomla on the server. I'm going to kill all PIDS with this in them. I now have suexec how is it used to output process owners? Last edited by xftp; 04-20-2009 at 01:31 PM.
Posted by xftp, 04-20-2009, 01:49 PM
On looking at a 'blue' file in tmp it starts of as #!/usr/bin/perl # this spreader is coded by xdh # xdh@xxxxxxxxxxx # only for testing... [SNIP] Then long list of names and some code
Posted by ramnet, 04-20-2009, 08:56 PM
Very Suspicious. Search the filesystem for the process names that appear and remove them! Then kick the user who put them their (should be obvious as the files will be owned by that user even if not run as that user)